Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi

Overview

General Information

Sample name:SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi
Analysis ID:1504095
MD5:3f3cd65706b50287fd2ba986dacd6cb0
SHA1:856d68eaa9ec542c2d9a5229bfeb97f16470cca9
SHA256:5ddc52155a66f0d761d56269200a4d0de19a4c4c1ffb20aad9757f0f3ce5c049
Tags:msi
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Yara detected AteraAgent
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Reads the Security eventlog
Reads the System eventlog
Sample is not signed and drops a device driver
Very long command line found
Writes many files with high entropy
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Is looking for software installed on the system
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Startup Folder File Write
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 7316 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • msiexec.exe (PID: 7420 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7508 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7696 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 88B9AFD431CCCBC2C183FA86EEAF26D8 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • AteraAgent.exe (PID: 7924 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="gearoid@pcsales.ie" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" MD5: 28D920237F64F246331725C1B2A29D1B)
    • msiexec.exe (PID: 5352 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B00A7C36C28E7241176BB9CC8D98E5DB E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • AnyDesk-f45e5af2_msi.exe (PID: 5048 cmdline: "C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe" --control MD5: 93B4FC0135DEBA59A7D1A59468FE2794)
  • Sgrmuserer.exe (PID: 7556 cmdline: C:\Windows\system32\Sgrmuserer.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 7660 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7772 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 7804 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AteraAgent.exe (PID: 8036 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 28D920237F64F246331725C1B2A29D1B)
    • sc.exe (PID: 8148 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 6608 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "7f4bc6c6-59a6-4bc9-8598-c31d718ec694" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7276 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "4d4475cf-de40-427c-84dc-885cd4d49f26" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 1244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 8128 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "286bd9d8-353a-4b8d-9785-82c1528904e7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 7456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7032 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 2348 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageADRemote.exe (PID: 2832 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1770ba0d-887c-48bc-9dfe-81a93d31467b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjozLCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9wYWNrYWdlc3N0b3JlLmJsb2IuY29yZS53aW5kb3dzLm5ldC9pbnN0YWxsZXJzL0FueURlc2svQWdlbnRfQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSJ9" MD5: 3180C705182447F4BCC7CE8E2820B25D)
      • conhost.exe (PID: 1556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 3852 cmdline: "msiexec.exe" /i "C:\Windows\TEMP\AnyDesk-CM.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageMonitoring.exe (PID: 2800 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 328987ae-dff2-409c-a138-b16d9739728b "8f1aa051-8e50-4815-abc3-1c6545289f2a" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" MD5: B50005A1A62AFA85240D1F65165856EB)
      • conhost.exe (PID: 2896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7268 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 28D920237F64F246331725C1B2A29D1B)
    • sc.exe (PID: 8028 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 1132 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1d3f044-b3ad-4477-a71b-e7adea6af624" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)
      • conhost.exe (PID: 6560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5936 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 1128 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 6872 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "56e78124-ff9e-4e29-ad5e-0209b83f61c7" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" MD5: 00A4D22D776D110ADCC63F0C567131C6)
      • conhost.exe (PID: 3600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageUpgradeAgent.exe (PID: 7120 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 328987ae-dff2-409c-a138-b16d9739728b "7cc0114f-d163-4617-a905-9a329cdf5945" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" MD5: 6095B43FA565DA44E7A818CFB4BACBA2)
      • conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 4236 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 328987ae-dff2-409c-a138-b16d9739728b "197104ea-9832-45bd-9a2f-8c3a39747567" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 7264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageSystemTools.exe (PID: 560 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 328987ae-dff2-409c-a138-b16d9739728b "28e860a2-285e-4a91-9ed0-d2614790e752" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" MD5: 26E9CCE4BD85A1FCACBF03A8C3F3DDCA)
      • conhost.exe (PID: 412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageRuntimeInstaller.exe (PID: 3324 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 328987ae-dff2-409c-a138-b16d9739728b "e4786dfd-8714-4cf5-9610-b4bc75778433" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" MD5: 77C613FFADF1F4B2F50D31EEEC83AF30)
      • conhost.exe (PID: 1840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMarketplace.exe (PID: 7524 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1de39b7-f261-48cb-9dc4-629b89d8a751" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" MD5: 601E661FD5917647D8932600560E6A27)
      • conhost.exe (PID: 3228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageADRemote.exe (PID: 764 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1d2acbd6-a090-4ad5-8aa2-025239e0beed" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" MD5: 3180C705182447F4BCC7CE8E2820B25D)
      • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Agent.Package.Availability.exe (PID: 4844 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 328987ae-dff2-409c-a138-b16d9739728b "0b89ae87-0eed-4d02-93ce-0ff8d9af8844" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" MD5: EEB8806784553B29F5E8CE3F3566C452)
      • conhost.exe (PID: 2348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 2288 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 8088 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AnyDesk-f45e5af2_msi.exe (PID: 4200 cmdline: "C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe" --service MD5: 93B4FC0135DEBA59A7D1A59468FE2794)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Installer\MSI9AE3.tmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\System32\InstallUtil.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DFFC36A7348E90ED6B.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Windows\Temp\~DFFBC50EC9FCD8D654.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 97 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000A.00000002.1741361683.000002402D60C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000003A.00000002.1811224169.000001F4715B0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                0000000A.00000002.1741226258.000002402D5C0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  0000001F.00000002.1548276807.000001CDF33B6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    0000000A.00000002.1831401511.000002404689D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 303 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      49.0.AgentPackageSystemTools.exe.11c773b0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        49.2.AgentPackageSystemTools.exe.11c77b90000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          31.2.AgentPackageMonitoring.exe.1cdf1b70000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            9.0.AteraAgent.exe.1f267be0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              53.2.AgentPackageMarketplace.exe.19356560000.3.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 16 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Remote Thread Creation By Uncommon Source Image
                                Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\SysWOW64\msiexec.exe, SourceProcessId: 5352, StartAddress: 7638D700, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 5352
                                Sigma detected: Startup Folder File Write
                                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\System32\msiexec.exe, ProcessId: 7508, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7032, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 2348, ProcessName: cscript.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, ProcessId: 7316, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.7% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA4E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,31_2_00007FF817AA4E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA4DE0 CryptReleaseContext,31_2_00007FF817AA4DE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA4BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,31_2_00007FF817AA4BC0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\PubNub-Messaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txtJump to behavior
                                Source: Binary string: C:\Windows\AteraAgent.pdbpdbent.pdb source: AteraAgent.exe, 00000012.00000002.2107624213.000002A06D060000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 0000001F.00000002.1545731021.000001CDF24B2000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: D:\a\12\s\AteraNugetPackages\Atera.AgentPackages.Exceptions\Atera.AgentPackages.Exceptions\obj\Release\Atera.AgentPackages.Exceptions.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1640789464.000001BA14612000.00000002.00000001.01000000.00000019.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 0000000D.00000002.1421661955.000001B6AF302000.00000002.00000001.01000000.00000009.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 0000001F.00000002.1547589739.000001CDF2782000.00000002.00000001.01000000.00000015.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1544567582.000001CDF1BC2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb-a source: AgentPackageADRemote.exe, 0000001C.00000002.1640544426.000001BA145D2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: \??\C:\Windows\Atera.AgentPackages.CommonLib.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D2ED000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 0000001C.00000000.1471696821.000001BA14192000.00000002.00000001.01000000.0000000B.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\win_dwm\win_dwm.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000D0C000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\net35\Newtonsoft.Json.pdbJT source: AteraAgent.exe, 0000000A.00000002.1826893185.0000024046642000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: ommonLib.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1637281742.000000B6F2351000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D2ED000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D2ED000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\net35\Newtonsoft.Json.pdb source: AteraAgent.exe, 0000000A.00000002.1826893185.0000024046642000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\privacy_feature\privacy_feature.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000D0C000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: `C:\Windows\Atera.AgentPackages.CommonLib.pdb1- source: AgentPackageADRemote.exe, 0000001C.00000002.1637281742.000000B6F2351000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1545979034.000001CDF2552000.00000002.00000001.01000000.00000012.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1545731021.000001CDF24B2000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 0000000D.00000002.1422557905.000001B6C7FC2000.00000002.00000001.01000000.0000000A.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1652885949.000001BA2D520000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.PDB&- source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D230000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: AgentPackageAgentInformation.exe, 0000000D.00000002.1422557905.000001B6C7FC2000.00000002.00000001.01000000.0000000A.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1652885949.000001BA2D520000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdbp source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\win_dwm\win_dwm.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000CD7000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1640544426.000001BA145D2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: D:\a\12\s\AteraNugetPackages\Atera.AgentPackages.Exceptions\Atera.AgentPackages.Exceptions\obj\Release\Atera.AgentPackages.Exceptions.pdbJ,d, V,_CorDllMainmscoree.dll source: AgentPackageADRemote.exe, 0000001C.00000002.1640789464.000001BA14612000.00000002.00000001.01000000.00000019.sdmp
                                Source: Binary string: D:\a\42\s\AlphaAgent\trunk\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000009.00000000.1308365620.000001F267BE2000.00000002.00000001.01000000.00000004.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 0000001F.00000002.1544567582.000001CDF1BC2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 0000000D.00000002.1421661955.000001B6AF302000.00000002.00000001.01000000.00000009.sdmp
                                Source: Binary string: System.pdb source: AteraAgent.exe, 0000000A.00000002.1811264088.00000240464CD000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000000.1590661348.0000000000E39000.00000002.00000001.01000000.00000017.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\privacy_feature\privacy_feature.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000D0C000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Pandu\GitHub\c-sharp\csharp.net\PubNub-Messaging\obj\Release\PubNub-Messaging.pdb source: AteraAgent.exe, 0000000A.00000002.1743556189.000002402DBD2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdbkS source: AteraAgent.exe, 0000000A.00000002.1831401511.0000024046855000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1547589739.000001CDF2782000.00000002.00000001.01000000.00000015.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D230000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: SAS.pdbR source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000CD7000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: SAS.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000CD7000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\svchost.exeFile opened: d:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax10_2_00007FF7C0D1F303
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CC472Dh10_2_00007FF7C0CC46B6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax10_2_00007FF7C0D1C11D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CC1648h10_2_00007FF7C0CC15EA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0EA1DD3h10_2_00007FF7C0EA1D1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0D3FB10h18_2_00007FF7C0CE216D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CE472Dh18_2_00007FF7C0CE46B4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CFA17Ah18_2_00007FF7C0CFA025
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CFA340h18_2_00007FF7C0CFA025
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CE0F80h18_2_00007FF7C0CE0F40
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CE1151h18_2_00007FF7C0CE0F40
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0EC9330h18_2_00007FF7C0EC91A9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CE0F80h18_2_00007FF7C0CE0785
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CE1151h18_2_00007FF7C0CE0785
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FF7C0CE1648h18_2_00007FF7C0CE0785

                                Networking

                                barindex
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 13.0.AgentPackageAgentInformation.exe.1b6aee90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll, type: DROPPED
                                Source: Joe Sandbox ViewIP Address: 40.119.152.241 40.119.152.241
                                Source: Joe Sandbox ViewIP Address: 35.157.63.229 35.157.63.229
                                Source: Joe Sandbox ViewIP Address: 20.37.139.187 20.37.139.187
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ad.share.fbook.href=https://www.facebook.com/sharer/sharer.php?u=https%3A//anydesk.com/ equals www.facebook.com (Facebook)
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ad.share.linkedin.href=https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Remote%20Desktop&summary=AnyDesk%20is%20a%20small%20and%20quick%20solution%20for%20screen%20sharing%20and%20remote%20collaboration.%20Get%20it%20here%3A%20https%3A//anydesk.com/&source= equals www.linkedin.com (Linkedin)
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2565282235.00000000032B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.facebook.comX equals www.facebook.com (Facebook)
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2565282235.00000000032B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.comktop equals www.linkedin.com (Linkedin)
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEINTERNALPOLLER/23.8/AGENTPACKAGEINTERNALPOLLER.Z
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A0002D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/19.4/AGENTPACKAGEOSUPDATES.ZIP
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A0002D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/23.9/AGENTPACKAGEPROGRAMMANAGE
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A00028B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/22.1/AGENTPACKAGESTREMOTE.ZIP
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/26.8/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGETICKETING/28.2/AGENTPACKAGETICKETING.ZIP
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEUPGRADEAGENT/26.8/AGENTPACKAGEUPGRADEAGENT.ZIP
                                Source: AteraAgent.exe, 0000000A.00000002.1743556189.000002402DBD2000.00000002.00000001.01000000.0000001D.sdmpString found in binary or memory: http://5System.Net.HttpWebResponseQSystem.Net.Browser.ClientHttpWebResponse
                                Source: AteraAgent.exe, 00000009.00000000.1308365620.000001F267BE2000.00000002.00000001.01000000.00000004.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E11B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E115000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000000D.00000002.1421997857.000001B6AF97F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72199C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA1505E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD80570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA1505E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agentapigateway-us.centralus.cloudapp.azure.com
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E115000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000000D.00000002.1421997857.000001B6AF97F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72199C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD80570000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A00108C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000F86000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A001008000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000E70000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000B64000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A00108C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000F86000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A001008000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000E70000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000B64000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A00108C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000F86000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A001008000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000E70000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000B64000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AgentPackageAgentInformation.exe, 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A00108C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000F86000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A001008000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000E70000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000B64000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E11B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000000D.00000002.1421997857.000001B6AF8D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721751000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: svchost.exe, 00000007.00000002.2545047058.000002AA1E887000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2545858532.000002AA1F118000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://support.anydesk.com
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1544896951.000001CDF2362000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.anydesk.com/
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000C08000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A00108C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000F86000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A001008000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000E70000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000B64000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000A.00000002.1826893185.0000024046642000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: http://www.newtonsoft.com/jsonschema
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.opengl.org/registry/
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.openssl.org/)
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.openssl.org/support/faq.html
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: http://www.openssl.org/support/faq.htmlEC_PRIVATEKEYpublicKeyparametersprivateKeyECPKPARAMETERSvalue
                                Source: AteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B7219C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000000D.00000002.1421997857.000001B6AF8D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721751000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA15006000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B7219C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prh
                                Source: AgentPackageAgentInformation.exe, 0000000D.00000002.1421997857.000001B6AF8D3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE48000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 0000000D.00000002.1421997857.000001B6AF8D3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA15006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DED5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE48000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringP
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DED5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B7219C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B7219C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B7217E3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/328987ae-dff2-409c-a138-b16d9739728b
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1548352968.000001CDF3490000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/328987ae-dff2-409c-a138-b16d9739728bx
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://anydesk.com
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/company#imprint
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/order
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/privacy
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/terms
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1632400515.000000000336D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/ti
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://anydesk.com/update
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://boot-01.net.anydesk.com
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://boot.net.anydesk.comabcdefABCDEFtruefalsebase.prot.packetInvalid
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://console-ui.myanydesk2.on.anydesk.com
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
                                Source: AgentPackageAgentInformation.exe, 0000000D.00000002.1422557905.000001B6C7FC2000.00000002.00000001.01000000.0000000A.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1652885949.000001BA2D520000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39588
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/roslyn/issues/46646
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/runtime/issues/73124.
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/$
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://help.anydesk.com/HelpLinkInstallLocationAnyDesk
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/access
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/backup-alias
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/error-messages
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/macos-security
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/share
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.anydesk.com/wol
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2559861044.00000000016A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/download/8CQsu9kv/AnyDesk_Custom_Client.msi
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2564926088.00000000020D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://my.anydesk.com/download/8CQsu9kv/AnyDesk_Custom_Client.msiJ
                                Source: AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://my.anydesk.com/password-generator.
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546962458.000001CDF26B8000.00000002.00000001.01000000.00000013.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://order.anydesk.com/trial
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F42000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14D36000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14EF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/AnyDesk/Agent_AnyDesk_Custom_Client.msi
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/AnyDesk/Agent_AnyDesk_Custom_Client.msi(
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA15006000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/anydesk/agent_anydesk_custom_client.msi
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://policies.google.com/privacy?hl=$
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DED5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageADRemote/1.6/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentIn
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.1/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageProgramManagement/23.9/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/22.1/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSystemTools/26.6/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTicketing/13.0/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/26.7/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.ziptem
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?pGaRIy
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?pGaRIyGOKx
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DED5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEC0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?pGaRIy
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip?pGaR
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?pGaRI
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A0002D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip?pGaRIyG
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A0002D0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/23.9/AgentPackageProgramManage
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.1/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A00028B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.1/AgentPackageSTRemote.zip?pGaRIyGOK
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?pGa
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.2/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.2/AgentPackageTicketing.zip?pGaRIyG
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?p
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgen
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageOsUpdates/1.0/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageProgramManagement/15.5/AgentPackageProgramManageme
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSystemTools/18.9/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTicketing/18.9/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E11B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E11B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A0000B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E11B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A0000B0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/328987ae-dff2-409c-a138-b1
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.anydesk.com/AnyDesk_on_macOS
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1547589739.000001CDF2782000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1548081777.000001CDF27E4000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/home?status=Do%20you%20know%20%23AnyDesk?%20AnyDesk%20is%20a%20small%20and%20qui
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1547589739.000001CDF2782000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/$
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.linkedin.com/shareArticle?mini=true&url=https%3A//anydesk.com/&title=Try%20AnyDesk%20Rem
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://www.nayuki.io/page/qr-code-generator-library
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1546962458.000001CDF26B8000.00000002.00000001.01000000.00000013.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: AteraAgent.exe, 0000000A.00000002.1826893185.0000024046642000.00000002.00000001.01000000.00000025.sdmp, AgentPackageAgentInformation.exe, 0000000D.00000002.1422557905.000001B6C7FC2000.00000002.00000001.01000000.0000000A.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1652885949.000001BA2D520000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1559899567.00007FF817C34000.00000002.00000001.01000000.0000000D.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DirectDrawCreateExmemstr_ebe43d50-f

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                                Writes many files with high entropy
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip entropy: 7.99935481254Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip entropy: 7.99969341055Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip entropy: 7.99991937457Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip entropy: 7.99897258519Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip entropy: 7.99871666858Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip entropy: 7.99988582147Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip entropy: 7.99991719918Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip entropy: 7.999222579Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip entropy: 7.99936269481Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip entropy: 7.99952935828Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip entropy: 7.99964488126Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip entropy: 7.99935468667Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip entropy: 7.99970533772Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip entropy: 7.99966017869Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip entropy: 7.9990874153Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-32.exe entropy: 7.99831158855Jump to dropped file

                                System Summary

                                barindex
                                Very long command line found
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: Commandline size = 2547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: Commandline size = 2547
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba71.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBBD8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBBF9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba73.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba73.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba74.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{96B92DFA-81A3-4790-BDF9-3D28564F56E6}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI286F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI28BE.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{96B92DFA-81A3-4790-BDF9-3D28564F56E6}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{96B92DFA-81A3-4790-BDF9-3D28564F56E6}\AnyDesk.icoJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B7F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba77.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba77.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba78.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9AE3.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9AF4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC476.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC477.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba82.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba82.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba83.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF8F5.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIFA1F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba86.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba86.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI17F9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba87.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1D88.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1F0F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba8a.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba8a.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI20C6.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI273F.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI279E.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI286A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba8d.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2DF9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E48.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3166.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI45D9.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI481C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba90.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\67ba90.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8286.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8537.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E0F.tmpJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Windows\SysWOW64\msiexec.exeFile created: C:\Windows\Installer\wix{96B92DFA-81A3-4790-BDF9-3D28564F56E6}.SchedServiceConfig.rmi
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIBBF9.tmpJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CDB1B110_2_00007FF7C0CDB1B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CFE5E010_2_00007FF7C0CFE5E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0D057F010_2_00007FF7C0D057F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CDA73010_2_00007FF7C0CDA730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CC08CE10_2_00007FF7C0CC08CE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CCA38810_2_00007FF7C0CCA388
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CDB1B110_2_00007FF7C0CDB1B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0EA5A0210_2_00007FF7C0EA5A02
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0EA31C810_2_00007FF7C0EA31C8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0EA79BD10_2_00007FF7C0EA79BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0EA3CF810_2_00007FF7C0EA3CF8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0EA5FFD10_2_00007FF7C0EA5FFD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0CE192D13_2_00007FF7C0CE192D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0D002FD13_2_00007FF7C0D002FD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0CE860213_2_00007FF7C0CE8602
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0CE785613_2_00007FF7C0CE7856
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0CE12FA13_2_00007FF7C0CE12FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0CEBD3013_2_00007FF7C0CEBD30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0CF103013_2_00007FF7C0CF1030
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 15_2_00007FF7C0CC192D15_2_00007FF7C0CC192D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 15_2_00007FF7C0CC12FB15_2_00007FF7C0CC12FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CFB46018_2_00007FF7C0CFB460
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0D01B5018_2_00007FF7C0D01B50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CF0EFA18_2_00007FF7C0CF0EFA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CFFE7418_2_00007FF7C0CFFE74
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CFAF2818_2_00007FF7C0CFAF28
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CFAF2818_2_00007FF7C0CFAF28
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC719D18_2_00007FF7C0EC719D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC9AFB18_2_00007FF7C0EC9AFB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC629718_2_00007FF7C0EC6297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC348818_2_00007FF7C0EC3488
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC291018_2_00007FF7C0EC2910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC57DD18_2_00007FF7C0EC57DD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CE078518_2_00007FF7C0CE0785
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CE12FA21_2_00007FF7C0CE12FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CEC36F21_2_00007FF7C0CEC36F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0D064C021_2_00007FF7C0D064C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CE963221_2_00007FF7C0CE9632
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CE888621_2_00007FF7C0CE8886
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0D0C9D821_2_00007FF7C0D0C9D8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CE192D21_2_00007FF7C0CE192D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CECCF921_2_00007FF7C0CECCF9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CE401021_2_00007FF7C0CE4010
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0D04F7D21_2_00007FF7C0D04F7D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CE073021_2_00007FF7C0CE0730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CF59D121_2_00007FF7C0CF59D1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0D04BDC21_2_00007FF7C0D04BDC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0D04C7821_2_00007FF7C0D04C78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0D05F9821_2_00007FF7C0D05F98
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CE3EF528_2_00007FF7C0CE3EF5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CE44B628_2_00007FF7C0CE44B6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CE3F2528_2_00007FF7C0CE3F25
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0E2378728_2_00007FF7C0E23787
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0F90AB528_2_00007FF7C0F90AB5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0F83FAE28_2_00007FF7C0F83FAE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0F8900028_2_00007FF7C0F89000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0F89B2928_2_00007FF7C0F89B29
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B1B88031_2_00007FF817B1B880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BC20E031_2_00007FF817BC20E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BD01E031_2_00007FF817BD01E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BC696031_2_00007FF817BC6960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AF18DA31_2_00007FF817AF18DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AAD83031_2_00007FF817AAD830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BE184031_2_00007FF817BE1840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AEF78031_2_00007FF817AEF780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BDF79031_2_00007FF817BDF790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ADD77031_2_00007FF817ADD770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B3772031_2_00007FF817B37720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B856D031_2_00007FF817B856D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B036E031_2_00007FF817B036E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B3169031_2_00007FF817B31690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9D63431_2_00007FF817A9D634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ADF63031_2_00007FF817ADF630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AFB64731_2_00007FF817AFB647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA564031_2_00007FF817AA5640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9955C31_2_00007FF817A9955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A974B031_2_00007FF817A974B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9347431_2_00007FF817A93474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B6F3E031_2_00007FF817B6F3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AB93D031_2_00007FF817AB93D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B2D35031_2_00007FF817B2D350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B2B37031_2_00007FF817B2B370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9F34031_2_00007FF817A9F340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9D28431_2_00007FF817A9D284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BA320031_2_00007FF817BA3200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B0F22031_2_00007FF817B0F220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A911B031_2_00007FF817A911B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AFF1B031_2_00007FF817AFF1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B2917031_2_00007FF817B29170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B2A0C031_2_00007FF817B2A0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B340A031_2_00007FF817B340A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA7F3031_2_00007FF817AA7F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AC9F3031_2_00007FF817AC9F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B25F2031_2_00007FF817B25F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B2FED031_2_00007FF817B2FED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AEFEF031_2_00007FF817AEFEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B37EA031_2_00007FF817B37EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B45EA031_2_00007FF817B45EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A97EC031_2_00007FF817A97EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B13EB031_2_00007FF817B13EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AC3E1031_2_00007FF817AC3E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AD7E7031_2_00007FF817AD7E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA5E5031_2_00007FF817AA5E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B67D2031_2_00007FF817B67D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B6DCC031_2_00007FF817B6DCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B7BCD031_2_00007FF817B7BCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AD9CF031_2_00007FF817AD9CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BD3C2031_2_00007FF817BD3C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AD9BA031_2_00007FF817AD9BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B7DB8031_2_00007FF817B7DB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ABBBE031_2_00007FF817ABBBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AF7B3031_2_00007FF817AF7B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B33AF031_2_00007FF817B33AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AC5AD031_2_00007FF817AC5AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B47A6031_2_00007FF817B47A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AC9A6031_2_00007FF817AC9A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AFB9F031_2_00007FF817AFB9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ABD91031_2_00007FF817ABD910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AE88A031_2_00007FF817AE88A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A928C031_2_00007FF817A928C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B5686031_2_00007FF817B56860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9E80C31_2_00007FF817A9E80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA886031_2_00007FF817AA8860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B2A7E031_2_00007FF817B2A7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AAE72031_2_00007FF817AAE720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA273831_2_00007FF817AA2738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BCC68031_2_00007FF817BCC680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B1060031_2_00007FF817B10600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BB05D031_2_00007FF817BB05D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B4A5D031_2_00007FF817B4A5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B4E59031_2_00007FF817B4E590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B7659031_2_00007FF817B76590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A985D431_2_00007FF817A985D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BCE5B031_2_00007FF817BCE5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9A52431_2_00007FF817A9A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B1455031_2_00007FF817B14550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AE051031_2_00007FF817AE0510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AF64A031_2_00007FF817AF64A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA44DC31_2_00007FF817AA44DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AB033031_2_00007FF817AB0330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AB231031_2_00007FF817AB2310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B5831031_2_00007FF817B58310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B3A2F031_2_00007FF817B3A2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B322B031_2_00007FF817B322B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B4C22031_2_00007FF817B4C220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B0224031_2_00007FF817B02240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B1C11031_2_00007FF817B1C110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BC50F031_2_00007FF817BC50F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AD902031_2_00007FF817AD9020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ADAFB031_2_00007FF817ADAFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B2EFD031_2_00007FF817B2EFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA2F8C31_2_00007FF817AA2F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9CEA831_2_00007FF817A9CEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AF0E3031_2_00007FF817AF0E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ABCE7031_2_00007FF817ABCE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A94DB431_2_00007FF817A94DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BCCD6031_2_00007FF817BCCD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B04D0031_2_00007FF817B04D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B16D2031_2_00007FF817B16D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B58D2031_2_00007FF817B58D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BE0D3031_2_00007FF817BE0D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817BC4C8031_2_00007FF817BC4C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ADACD031_2_00007FF817ADACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA6CC031_2_00007FF817AA6CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B3CC0031_2_00007FF817B3CC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AE8B9031_2_00007FF817AE8B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B0CB5031_2_00007FF817B0CB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B7AB0031_2_00007FF817B7AB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AB6A8031_2_00007FF817AB6A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B5AA7031_2_00007FF817B5AA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AD8A6031_2_00007FF817AD8A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A98A3C31_2_00007FF817A98A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AEE99031_2_00007FF817AEE990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817B8691031_2_00007FF817B86910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0CBF73D31_2_00007FF7C0CBF73D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0CC0FD531_2_00007FF7C0CC0FD5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0CBCC7B31_2_00007FF7C0CBCC7B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0CBBD5131_2_00007FF7C0CBBD51
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0ED2AEB31_2_00007FF7C0ED2AEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0ED31C631_2_00007FF7C0ED31C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0EDEFA831_2_00007FF7C0EDEFA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C101513831_2_00007FF7C1015138
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0FE644D31_2_00007FF7C0FE644D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0FE34B131_2_00007FF7C0FE34B1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0FE455731_2_00007FF7C0FE4557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C1024DA031_2_00007FF7C1024DA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0FD403D31_2_00007FF7C0FD403D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C0FE58E731_2_00007FF7C0FE58E7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C1011F8831_2_00007FF7C1011F88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C10A946431_2_00007FF7C10A9464
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C10A0A9731_2_00007FF7C10A0A97
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C10B31F031_2_00007FF7C10B31F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C10B55F831_2_00007FF7C10B55F8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C124C18B31_2_00007FF7C124C18B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C1253B4C31_2_00007FF7C1253B4C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C125B7CF31_2_00007FF7C125B7CF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF7C124000A31_2_00007FF7C124000A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF817BE1D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF817BE1B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FF817BE06B0 appears 145 times
                                Source: libx264-116.dll.3.drStatic PE information: Number of sections : 11 > 10
                                Source: System.Net.NetworkInformation.dll.3.drStatic PE information: No import functions for PE file found
                                Source: api-ms-win-core-util-l1-1-0.dll.3.drStatic PE information: No import functions for PE file found
                                Source: System.Collections.Immutable.dll.3.drStatic PE information: No import functions for PE file found
                                Source: System.Net.ServicePoint.dll.3.drStatic PE information: No import functions for PE file found
                                Source: System.IO.IsolatedStorage.dll.3.drStatic PE information: No import functions for PE file found
                                Source: legacy.dll.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.9891530601211073
                                Source: libcurl.dll.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.9919475446428572
                                Source: libssl-3.dll.3.drStatic PE information: Section: UPX1 ZLIB complexity 0.9904581372749591
                                Source: ICSharpCode.SharpZipLib.dll.3.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.3.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.3.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winMSI@100/1157@0/11
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7456:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8048:120:WilError_03
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeMutant created: \BaseNamedObjects\Local\ad_f45e5af2_msi_trace_mtx
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeMutant created: \BaseNamedObjects\Local\ad_f45e5af2_msi_mailbox_5048_2547797955_1_mtx
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8156:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5352:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1840:120:WilError_03
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeMutant created: \BaseNamedObjects\Local\ad_f45e5af2_msi_mailbox_5048_2547797955_0_mtx
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2348:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6568:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMutant created: NULL
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageadremote_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2896:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3228:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6560:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5488:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1556:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5516:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1244:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3600:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:412:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeMutant created: \BaseNamedObjects\Global\ad_f45e5af2_msi_7015_gsystem_mtx
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageruntimeinstaller_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7264:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1836:120:WilError_03
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeMutant created: \BaseNamedObjects\Global\ad_f45e5af2_msi_connect_queue_4200_2519153540_mtx
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF5F8D2BCC61A473AD.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.iniJump to behavior
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResultC{0} {1} {2} {3} or8ixLi90Mf "{4}"
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1548276807.000001CDF33B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL)Pj;
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD805A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD805A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1548174753.000001CDF33AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL)p9;
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: unknownProcess created: C:\Windows\System32\Sgrmuserer.exe C:\Windows\system32\Sgrmuserer.exe
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 88B9AFD431CCCBC2C183FA86EEAF26D8
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="gearoid@pcsales.ie" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI=""
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "7f4bc6c6-59a6-4bc9-8598-c31d718ec694" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "4d4475cf-de40-427c-84dc-885cd4d49f26" agent-api.atera.com/Production 443 or8ixLi90Mf "identified"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "286bd9d8-353a-4b8d-9785-82c1528904e7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1770ba0d-887c-48bc-9dfe-81a93d31467b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjozLCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9wYWNrYWdlc3N0b3JlLmJsb2IuY29yZS53aW5kb3dzLm5ldC9pbnN0YWxsZXJzL0FueURlc2svQWdlbnRfQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSJ9"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 328987ae-dff2-409c-a138-b16d9739728b "8f1aa051-8e50-4815-abc3-1c6545289f2a" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i "C:\Windows\TEMP\AnyDesk-CM.msi" /qn
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B00A7C36C28E7241176BB9CC8D98E5DB E Global\MSI0000
                                Source: unknownProcess created: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe "C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe" --service
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe "C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe" --control
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1d3f044-b3ad-4477-a71b-e7adea6af624" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "56e78124-ff9e-4e29-ad5e-0209b83f61c7" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 328987ae-dff2-409c-a138-b16d9739728b "7cc0114f-d163-4617-a905-9a329cdf5945" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 328987ae-dff2-409c-a138-b16d9739728b "197104ea-9832-45bd-9a2f-8c3a39747567" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 328987ae-dff2-409c-a138-b16d9739728b "28e860a2-285e-4a91-9ed0-d2614790e752" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 328987ae-dff2-409c-a138-b16d9739728b "e4786dfd-8714-4cf5-9610-b4bc75778433" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1de39b7-f261-48cb-9dc4-629b89d8a751" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1d2acbd6-a090-4ad5-8aa2-025239e0beed" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ=="
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 328987ae-dff2-409c-a138-b16d9739728b "0b89ae87-0eed-4d02-93ce-0ff8d9af8844" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 88B9AFD431CCCBC2C183FA86EEAF26D8Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="gearoid@pcsales.ie" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI=""Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe "C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe" --controlJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "7f4bc6c6-59a6-4bc9-8598-c31d718ec694" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "4d4475cf-de40-427c-84dc-885cd4d49f26" agent-api.atera.com/Production 443 or8ixLi90Mf "identified"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "286bd9d8-353a-4b8d-9785-82c1528904e7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1770ba0d-887c-48bc-9dfe-81a93d31467b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjozLCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9wYWNrYWdlc3N0b3JlLmJsb2IuY29yZS53aW5kb3dzLm5ldC9pbnN0YWxsZXJzL0FueURlc2svQWdlbnRfQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSJ9"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 328987ae-dff2-409c-a138-b16d9739728b "8f1aa051-8e50-4815-abc3-1c6545289f2a" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1d3f044-b3ad-4477-a71b-e7adea6af624" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "56e78124-ff9e-4e29-ad5e-0209b83f61c7" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 328987ae-dff2-409c-a138-b16d9739728b "7cc0114f-d163-4617-a905-9a329cdf5945" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 328987ae-dff2-409c-a138-b16d9739728b "197104ea-9832-45bd-9a2f-8c3a39747567" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 328987ae-dff2-409c-a138-b16d9739728b "28e860a2-285e-4a91-9ed0-d2614790e752" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 328987ae-dff2-409c-a138-b16d9739728b "e4786dfd-8714-4cf5-9610-b4bc75778433" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1de39b7-f261-48cb-9dc4-629b89d8a751" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1d2acbd6-a090-4ad5-8aa2-025239e0beed" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ=="
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 328987ae-dff2-409c-a138-b16d9739728b "0b89ae87-0eed-4d02-93ce-0ff8d9af8844" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i "C:\Windows\TEMP\AnyDesk-CM.msi" /qn
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsusererclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: smphost.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mispace.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sxshared.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmiclnt.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wevtapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: virtdisk.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: resutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: clusapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wmitomi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fastprox.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.iniJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\PubNub-Messaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\sharedJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.AppJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.jsonJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.versionJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\hostJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxrJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}Jump to behavior
                                Source: Binary string: C:\Windows\AteraAgent.pdbpdbent.pdb source: AteraAgent.exe, 00000012.00000002.2107624213.000002A06D060000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 0000001F.00000002.1545731021.000001CDF24B2000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: D:\a\12\s\AteraNugetPackages\Atera.AgentPackages.Exceptions\Atera.AgentPackages.Exceptions\obj\Release\Atera.AgentPackages.Exceptions.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1640789464.000001BA14612000.00000002.00000001.01000000.00000019.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 0000000D.00000002.1421661955.000001B6AF302000.00000002.00000001.01000000.00000009.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 0000001F.00000002.1547589739.000001CDF2782000.00000002.00000001.01000000.00000015.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1544567582.000001CDF1BC2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdbSHA256 source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdb source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\1795\s\corefx\bin/obj/AnyOS.AnyCPU.Release/System.Xml.XPath.XDocument/netfx\System.Xml.XPath.XDocument.pdb source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb-a source: AgentPackageADRemote.exe, 0000001C.00000002.1640544426.000001BA145D2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: \??\C:\Windows\Atera.AgentPackages.CommonLib.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D2ED000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageADRemote\AgentPackageADRemote\obj\Release\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 0000001C.00000000.1471696821.000001BA14192000.00000002.00000001.01000000.0000000B.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\win_dwm\win_dwm.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000D0C000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\net35\Newtonsoft.Json.pdbJT source: AteraAgent.exe, 0000000A.00000002.1826893185.0000024046642000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: ommonLib.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1637281742.000000B6F2351000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D2ED000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\symbols\exe\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D2ED000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Development\Releases\Json\Working\Newtonsoft.Json\Working-Signed\Src\Newtonsoft.Json\obj\Release\net35\Newtonsoft.Json.pdb source: AteraAgent.exe, 0000000A.00000002.1826893185.0000024046642000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\privacy_feature\privacy_feature.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000D0C000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: `C:\Windows\Atera.AgentPackages.CommonLib.pdb1- source: AgentPackageADRemote.exe, 0000001C.00000002.1637281742.000000B6F2351000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1545979034.000001CDF2552000.00000002.00000001.01000000.00000012.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageProgramManagement\ThirdPartyPackageManager\obj\Release\ThirdPartyPackageManager.pdb source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/artifacts/obj/System.Diagnostics.EventLog/net6.0-Release/System.Diagnostics.EventLog.pdb source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1545731021.000001CDF24B2000.00000002.00000001.01000000.00000011.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 0000000D.00000002.1422557905.000001B6C7FC2000.00000002.00000001.01000000.0000000A.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1652885949.000001BA2D520000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.PDB&- source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D230000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard1.1\System.Memory.pdbSHA256~ source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: AgentPackageAgentInformation.exe, 0000000D.00000002.1422557905.000001B6C7FC2000.00000002.00000001.01000000.0000000A.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1652885949.000001BA2D520000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_app\win_app.pdbp source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-32\win_dwm\win_dwm.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000CD7000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackages.CommonLib\obj\Release\Atera.AgentPackages.CommonLib.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1640544426.000001BA145D2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: D:\a\12\s\AteraNugetPackages\Atera.AgentPackages.Exceptions\Atera.AgentPackages.Exceptions\obj\Release\Atera.AgentPackages.Exceptions.pdbJ,d, V,_CorDllMainmscoree.dll source: AgentPackageADRemote.exe, 0000001C.00000002.1640789464.000001BA14612000.00000002.00000001.01000000.00000019.sdmp
                                Source: Binary string: D:\a\42\s\AlphaAgent\trunk\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000009.00000000.1308365620.000001F267BE2000.00000002.00000001.01000000.00000004.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 0000001F.00000002.1544567582.000001CDF1BC2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 0000000D.00000002.1421661955.000001B6AF302000.00000002.00000001.01000000.00000009.sdmp
                                Source: Binary string: System.pdb source: AteraAgent.exe, 0000000A.00000002.1811264088.00000240464CD000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\app-32\win_loader\AnyDesk.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000000.1590661348.0000000000E39000.00000002.00000001.01000000.00000017.sdmp
                                Source: Binary string: C:\Users\anyadmin\Documents\anydesk\release\dwm_dda-64\privacy_feature\privacy_feature.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000D0C000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Pandu\GitHub\c-sharp\csharp.net\PubNub-Messaging\obj\Release\PubNub-Messaging.pdb source: AteraAgent.exe, 0000000A.00000002.1743556189.000002402DBD2000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1559418896.00007FF817BEA000.00000002.00000001.01000000.0000000D.sdmp
                                Source: Binary string: \??\C:\Windows\System.pdbkS source: AteraAgent.exe, 0000000A.00000002.1831401511.0000024046855000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 0000001F.00000002.1547589739.000001CDF2782000.00000002.00000001.01000000.00000015.sdmp
                                Source: Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.pdb source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D230000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: SAS.pdbR source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000CD7000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: SAS.pdb source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2553296705.0000000000CD7000.00000004.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp

                                Data Obfuscation

                                barindex
                                Detected unpacking (changes PE section rights)
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeUnpacked PE file: 36.2.AnyDesk-f45e5af2_msi.exe.200000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R;.custom:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;.custom:R;
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeUnpacked PE file: 37.2.AnyDesk-f45e5af2_msi.exe.200000.0.unpack .text:ER;.itext:W;.rdata:R;.data:W;.rsrc:R;.reloc:R;.custom:R; vs .text:ER;.itext:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;.custom:R;
                                Source: Newtonsoft.Json.dll.3.drStatic PE information: 0xCFB73310 [Thu Jun 6 08:57:52 2080 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,31_2_00007FF817AA1910
                                Source: BdEpSDK.exe.3.drStatic PE information: section name: _RDATA
                                Source: libx264-116.dll.3.drStatic PE information: section name: .rodata
                                Source: libx264-116.dll.3.drStatic PE information: section name: .eh_fram
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 9_2_00007FF7C0CD00BD pushad ; iretd 9_2_00007FF7C0CD00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 9_2_00007FF7C0CD0869 push eax; iretd 9_2_00007FF7C0CD086A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 9_2_00007FF7C0CD0879 push eax; iretd 9_2_00007FF7C0CD087A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CCA308 push es; iretd 10_2_00007FF7C0CD5627
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CCE9F7 push esi; iretd 10_2_00007FF7C0CCE9FF
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CC73A7 push ebp; retf 10_2_00007FF7C0CC73A8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CCA388 push ecx; ret 10_2_00007FF7C0CD61DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CD6752 push eax; iretd 10_2_00007FF7C0CD6753
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0CC00BD pushad ; iretd 10_2_00007FF7C0CC00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 10_2_00007FF7C0EA8918 pushad ; retf 10_2_00007FF7C0EA8919
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0CED5C9 push ds; retf 5F52h13_2_00007FF7C0CED92F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 13_2_00007FF7C0CE00BD pushad ; iretd 13_2_00007FF7C0CE00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 15_2_00007FF7C0CC00BD pushad ; iretd 15_2_00007FF7C0CC00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CF59E5 push cs; retf 18_2_00007FF7C0CF5A1F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CEABC0 push es; retn 7002h18_2_00007FF7C0CEC989
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CEEE47 push esi; iretd 18_2_00007FF7C0CEEE4F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0CE00BD pushad ; iretd 18_2_00007FF7C0CE00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC5003 push ecx; iretd 18_2_00007FF7C0EC55DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC556B push ecx; iretd 18_2_00007FF7C0EC55DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 18_2_00007FF7C0EC87F8 pushad ; iretd 18_2_00007FF7C0EC87F9
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CF7C2E pushad ; retf 21_2_00007FF7C0CF7C5D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0D16FC2 pushad ; iretd 21_2_00007FF7C0D16FCD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 21_2_00007FF7C0CE00BD pushad ; iretd 21_2_00007FF7C0CE00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CE71F1 pushad ; ret 28_2_00007FF7C0CE7214
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CD7969 push ebx; retf 28_2_00007FF7C0CD796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CE8163 push ebx; ret 28_2_00007FF7C0CE816A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CDD363 push esp; iretd 28_2_00007FF7C0CDD364
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CE4DE0 push edi; retn 5F57h28_2_00007FF7C0CE6236
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CE70FC pushad ; ret 28_2_00007FF7C0CE70F4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0CE70C4 pushad ; ret 28_2_00007FF7C0CE70F4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeCode function: 28_2_00007FF7C0F8611B push esi; ret 28_2_00007FF7C0F86137
                                Source: System.Collections.Immutable.dll.3.drStatic PE information: section name: .text entropy: 6.800092496005656
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log
                                Sample is not signed and drops a device driver
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8537.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI17F9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B7F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2DF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 67ba80.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI286A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBBF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI273F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 67ba7e.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC477.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E0F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E48.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 67ba7f.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9AF4.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI20C6.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1D88.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI28BE.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3166.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF8F5.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\PubNub-Messaging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI45D9.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 67ba7c.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{96B92DFA-81A3-4790-BDF9-3D28564F56E6}\AnyDesk.icoJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF8F5.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2B7F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3166.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI286A.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{96B92DFA-81A3-4790-BDF9-3D28564F56E6}\AnyDesk.icoJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9AF4.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI17F9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC477.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI20C6.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2DF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1D88.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI28BE.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI45D9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI273F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8537.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI9E0F.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBBF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2E48.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{96B92DFA-81A3-4790-BDF9-3D28564F56E6}\AnyDesk.icoJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txtJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txtJump to behavior

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk Custom Client.lnkJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk Custom ClientJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk Custom Client\AnyDesk Custom Client.lnkJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk Custom Client.lnkJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,31_2_00007FF817A9A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\ClassesJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\ClassesJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\cscript.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Query firmware table information (likely to detect VMs)
                                Source: C:\Windows\System32\svchost.exeSystem information queried: FirmwareTableInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1F2680C0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1F269900000 memory reserve | memory write watchJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2402D7C0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 24045DC0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1B6AF0F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1B6C7850000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 28E1D0C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 28E35650000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2A06C3A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2A06C470000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1B7211F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1B739750000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMemory allocated: 1BA145A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMemory allocated: 1BA2CB70000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1CDF1670000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1CDF1C40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 201F55E0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 201F5D80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 2BFB1110000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 2BFC9790000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1F368A20000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1F369090000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 25910640000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 25928BD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMemory allocated: 11C77B60000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeMemory allocated: 11C77D40000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeMemory allocated: 1F24CB10000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeMemory allocated: 1F2650B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeMemory allocated: 193562F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeMemory allocated: 1936E670000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMemory allocated: 2BAA53D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeMemory allocated: 2BABDA90000 memory reserve | memory write watch
                                Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599551
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598479
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597230
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 598984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 598875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 598760
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599282
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599104
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597796
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597587
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597277
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597104
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596793
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596668
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596476
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596164
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595821
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595619
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595491
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595373
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595255
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595006
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594576
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594434
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594142
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593555
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593434
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593309
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592918
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592664
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592527
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592256
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591065
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590779
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590369
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590086
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589854
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589479
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589243
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588697
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588574
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588295
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588147
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588024
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587893
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587458
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587333
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587083
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 586950
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 586829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 586625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 586121
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585972
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585675
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585545
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585043
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584576
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584157
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583949
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583433
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583303
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583007
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582622
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582492
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582372
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582264
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582153
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582044
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581936
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581769
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581532
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581414
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580978
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580051
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579802
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579317
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578658
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578029
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 577922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 577813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 577688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 598844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 4228Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 5512Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 7360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 2247
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 4659
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 3374
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeWindow / User API: threadDelayed 950
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeWindow / User API: threadDelayed 1084
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 2555
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1455
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 7147
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 1891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeWindow / User API: threadDelayed 7908
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeWindow / User API: threadDelayed 374
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8537.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI17F9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2B7F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2DF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 67ba80.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI286A.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBBF9.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI273F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 67ba7e.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC477.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9E0F.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2E48.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sysJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 67ba7f.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI9AF4.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sysJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI20C6.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1D88.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 128 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7972Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8116Thread sleep count: 4228 > 30Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8116Thread sleep count: 5512 > 30Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184Thread sleep time: -24903104499507879s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184Thread sleep time: -45000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7188Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 884Thread sleep time: -80000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6020Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6336Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7408Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7780Thread sleep count: 7360 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7780Thread sleep count: 2247 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8168Thread sleep count: 36 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8168Thread sleep time: -33204139332677172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8168Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 976Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8168Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7132Thread sleep time: -80000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5640Thread sleep count: 4659 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6876Thread sleep count: 3374 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -22136092888451448s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -599891s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -599781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -599672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -599551s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -599422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -599313s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -599188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -599063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598953s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598829s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598479s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598156s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -598047s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597938s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597828s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597230s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597124s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -597016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -596891s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -596766s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4220Thread sleep time: -596656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4828Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7696Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -7378697629483816s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 8016Thread sleep count: 950 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -599890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 8016Thread sleep count: 1084 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -599781s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -599672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -599557s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -599421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -599312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -599202s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -599093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -598984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -598875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7140Thread sleep time: -598760s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 2972Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 1996Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7104Thread sleep count: 2555 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3792Thread sleep time: -11068046444225724s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3792Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 4024Thread sleep count: 594 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5292Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3128Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe TID: 4628Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe TID: 3640Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe TID: 5612Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe TID: 4628Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe TID: 2592Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5648Thread sleep count: 1455 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2672Thread sleep count: 98 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2404Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -26747778906878833s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 3300Thread sleep count: 7147 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -599688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -599484s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -599282s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -599104s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -598797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -598563s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -598313s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -598047s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -597796s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -597587s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -597438s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -597277s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -597104s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -596954s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -596793s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -596668s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -596476s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -596310s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -596164s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -595969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -595821s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -595619s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -595491s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -595373s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -595255s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -595125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -595006s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -594766s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -594576s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -594434s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -594297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -594142s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -594016s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -593860s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -593718s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -593555s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -593434s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -593309s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -593172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -593047s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -592918s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -592790s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -592664s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -592527s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -592375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -592256s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -592125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -591766s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -591344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -591215s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -591065s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -590922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -590779s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -590641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -590485s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -590369s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -590235s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -590086s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -589968s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -589854s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -589734s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -589590s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -589479s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -589243s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -588875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -588697s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -588574s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -588422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -588295s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -588147s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -588024s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -587893s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -587734s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -587594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -587458s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -587333s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -587200s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -587083s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -586950s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -586829s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -586625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -586121s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -585972s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -585813s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -585675s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -585545s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -585360s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -585188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -585043s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -584922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -584813s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -584702s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -584576s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -584438s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -584297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -584157s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -583949s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -583433s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -583303s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -583172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -583007s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -582873s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -582735s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -582622s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -582492s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -582372s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -582264s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -582153s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -582044s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -581936s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -581769s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -581640s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -581532s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -581414s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -581297s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -581170s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -580978s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -580844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -580688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -580563s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -580453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -580344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -580219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -580051s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -579922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 3300Thread sleep count: 1891 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -579802s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -579672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -579562s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -579453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -579317s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -579188s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -579063s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -578938s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -578813s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -578658s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -578500s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -578391s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -578266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -578141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -578029s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -577922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -577813s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4800Thread sleep time: -577688s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 3484Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 1404Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 5400Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 7720Thread sleep count: 140 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 6252Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 6500Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 4764Thread sleep count: 7908 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 8172Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -100000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -99735s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -99561s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -99422s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -99294s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -99117s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -98951s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -98805s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -98610s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -98461s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 2348Thread sleep time: -98260s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe TID: 8172Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 8028Thread sleep count: 374 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 6744Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 6744Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 6744Thread sleep time: -598844s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 7352Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe TID: 6680Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 7564Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe TID: 3096Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 80000Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 80000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599551
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598479
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597828
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597230
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599781
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599557
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 599093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 598984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 598875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 598760
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599282
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599104
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598313
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597796
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597587
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597277
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597104
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596954
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596793
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596668
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596476
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596164
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595821
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595619
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595491
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595373
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595255
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595006
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594576
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594434
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594142
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594016
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593718
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593555
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593434
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593309
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592918
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592664
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592527
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592256
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 592125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591766
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591215
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 591065
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590779
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590485
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590369
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590235
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 590086
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589968
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589854
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589479
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 589243
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588697
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588574
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588295
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588147
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 588024
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587893
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587734
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587458
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587333
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 587083
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 586950
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 586829
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 586625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 586121
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585972
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585675
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585545
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585360
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 585043
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584576
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584438
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 584157
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583949
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583433
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583303
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 583007
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582622
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582492
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582372
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582264
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582153
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 582044
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581936
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581769
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581532
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581414
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581297
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 581170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580978
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580563
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 580051
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579802
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579317
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579188
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 579063
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578938
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578658
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578500
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 578029
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 577922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 577813
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 577688
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 100000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99735
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99422
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99294
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 99117
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 98951
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 98805
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 98610
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 98461
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 98260
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 598844
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: svchost.exe, 00000021.00000003.2501326761.000002016D934000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: svchost.exe, 00000021.00000002.2543150347.000002016D613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C291B7E1A50751CFE2D9FBBFD3420RKVMwareVirtual disk
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1640030677.000001B739E52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: svchost.exe, 00000021.00000002.2543718511.000002016D668000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ,@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641176911.000001B739F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: svchost.exe, 00000021.00000002.2545454552.000002016D6F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641011614.000001B739EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"
                                Source: svchost.exe, 00000005.00000002.2546243863.0000021D4848C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: svchost.exe, 00000021.00000003.2501326761.000002016D934000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1630021987.000001B720F78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: svchost.exe, 00000021.00000002.2543497813.000002016D64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c291b7e1a50751cfe2d9fbbfd342PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C291B7E1A50751CFE2D9FBBFD342ent
                                Source: AgentPackageAgentInformation.exe, 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: svchost.exe, 00000021.00000002.2544779369.000002016D6D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c291b7e1a50751cfe2d9fbbfd342PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: svchost.exe, 00000005.00000002.2545452491.0000021D4844B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1630021987.000001B720FD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1544311162.000001CDF1B72000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: vmware
                                Source: svchost.exe, 00000021.00000002.2543497813.000002016D64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: svchost.exe, 00000005.00000002.2545856351.0000021D48464000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000ni
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: svchost.exe, 00000021.00000002.2543718511.000002016D668000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1
                                Source: svchost.exe, 00000005.00000002.2545234886.0000021D4842B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AgentPackageAgentInformation.exe, 0000000D.00000002.1422880934.000001B6C80A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrg
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1640030677.000001B739E52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641176911.000001B739F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: svchost.exe, 00000021.00000002.2543497813.000002016D64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0VMwareVirtual disk6000c291b7e1a50751cfe2d9fbbfd3422.0
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641176911.000001B739F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641011614.000001B739EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicshutdown"
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: AteraAgent.exe, 00000012.00000002.2100308784.000002A06CCCB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ble Device Enumerator ServiceWPDBusEnumParental ControlsWpcMonSvcWork FoldersworkfolderssvcWindows Media Player Network Sharing ServiceWMPNetworkSvcWMI Performance AdapterwmiApSrvWindows Management ServiceWManSvcLocal Profile Assistant ServicewlpasvcMicrosoft Account Sign-in AssistantwlidsvcWLAN AutoConfigWlanSvcWindows Insider ServicewisvcWindows Remote Management (WS-Management)WinRMWindows Management InstrumentationWinmgmtWinHTTP Web Proxy Auto-Discovery ServiceWinHttpAutoProxySvcMicrosoft Defender Antivirus ServiceWinDefendStill Image Acquisition EventsWiaRpcWi-Fi Direct Services Connection Manager ServiceWFDSConMgrSvcWindows Error Reporting ServiceWerSvcProblem Reports Control Panel SupportwercplsupportWindows Encryption Provider Host ServiceWEPHOSTSVCWindows Event CollectorWecsvcWebClientWebClientMicrosoft Defender Antivirus Network Inspection ServiceWdNisSvcDiagnostic System HostWdiSystemHostDiagnostic Service HostWdiServiceHostWindows Connect Now - Config RegistrarwcncsvcWindows Connection ManagerWcmsvcWindows Biometric ServiceWbioSrvcBlock Level Backup Engine ServicewbengineWarpJITSvcWarpJITSvcWalletServiceWalletServiceWindows TimeW32TimeVolume Shadow CopyVSSHyper-V Volume Shadow Copy RequestorvmicvssHyper-V PowerShell Direct ServicevmicvmsessionHyper-V Time Synchronization ServicevmictimesyncHyper-V Guest Shutdown ServicevmicshutdownHyper-V Remote Desktop Virtualization ServicevmicrdvHyper-V Data Exchange ServicevmickvpexchangeHyper-V Heartbeat ServicevmicheartbeatHyper-V Guest Service InterfacevmicguestinterfaceVirtual DiskvdsCredential ManagerVaultSvcVolumetric Audio Compositor ServiceVacSvcUpdate Orchestrator ServiceUsoSvcUser ManagerUserManagerUPnP Device HostupnphostRemote Desktop Services UserMode Port RedirectorUmRdpServiceUser Experience Virtualization ServiceUevAgentServiceAuto Time Zone UpdatertzautoupdateWindows Modules InstallerTrustedInstallerRecommended Troubleshooting ServiceTroubleshootingSvcDistributed Link Tracking ClientTrkWksWeb Account ManagerTokenusererTime usererTimeusererSvcStorage Tiers ManagementTieringEngineServiceThemesThemesRemote Desktop ServicesTermServiceTelephonyTapiSrvTouch Keyboard and Handwriting Panel ServiceTabletInputServiceSystem Events usererSystemEventsusererSysMainSysMainMicrosoft Software Shadow Copy ProviderswprvSpot VerifiersvsvcStorage ServiceStorSvcWindows Image Acquisition (WIA)stisvcState Repository ServiceStateRepositorySecure Socket Tunneling Protocol ServiceSstpSvcOpenSSH Authentication Agentssh-agentSSDP DiscoverySSDPSRVSoftware ProtectionsppsvcPrint SpoolerSpoolerWindows Perception ServicespectrumSNMP TrapSNMPTRAPMicrosoft Windows SMS Router Service.SmsRouterMicrosoft Storage Spaces SMPsmphostShared PC Account ManagershpamsvcShell Hardware DetectionShellHWDetectionSpatial Data ServiceSharedRealitySvcInternet Connection Sharing (ICS)SharedAccessSystem Guard Runtime Monitor usererSgrmusererRemote Desktop ConfigurationSessionEnvSensor Monitoring ServiceSensrSvcSensor ServiceSensorServi
                                Source: svchost.exe, 00000021.00000002.2543497813.000002016D64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000021.00000003.2501326761.000002016D934000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fef88c0d-2700-c520-e51d-850f7cb9edb6}6000C291B7E1A50751CFE2D9FBBFD342VMware Virtual diskVMwareVirtual disk6000c291b7e1a50751cfe2d9fbbfd342PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1602401436.00000000016D0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1601181525.00000000016D0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2559861044.00000000016A8000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1608435729.00000000016D0000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1605916945.00000000016D2000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1601354156.00000000016D1000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1606918473.00000000016D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllW[
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: svchost.exe, 00000005.00000002.2545856351.0000021D4847E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641011614.000001B739EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicheartbeat"
                                Source: svchost.exe, 00000021.00000002.2543150347.000002016D613000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C291B7E1A50751CFE2D9FBBFD342\sy0emVMwareeVirtual disk=C:6000c291b7e1a50751cfe2d9fbbfd342ata2.0
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1630021987.000001B720F78000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedo
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641176911.000001B739F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: AteraAgent.exe, 00000012.00000002.2100308784.000002A06CC68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;AV
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1640030677.000001B739E52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped_
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1642582800.000001B73A1AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>>q
                                Source: svchost.exe, 00000021.00000002.2543497813.000002016D64F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C291B7E1A50751CFE2D9FBBFD342
                                Source: svchost.exe, 00000021.00000002.2544779369.000002016D6D5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: BSCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1651206396.000001BA2D230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: svchost.exe, 00000021.00000002.2542965873.000002016D600000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c291b7e1a50751cfe2d9fbbfd342PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C291B7E1A50751CFE2D9FBBFD342
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1630021987.000001B720FD7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped,
                                Source: svchost.exe, 00000005.00000002.2545234886.0000021D4842B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1643362584.000001B73A210000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fef88c0d-2700-c520-e51d-850f7cb9edb6}"6000C291B7E1A50751CFE2D9FBBFD342VMware Virtual diskVMwareVirtual disk6000c291b7e1a50751cfe2d9fbbfd342PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: svchost.exe, 00000021.00000002.2545454552.000002016D6F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @friendlyname"vmware virtual disk"dlll
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641176911.000001B739F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1640544426.000001BA145D2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageMonitoring.exe, 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1544311162.000001CDF1B72000.00000002.00000001.01000000.0000000E.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageMonitoring.exe, 0000001F.00000002.1548352968.000001CDF3490000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641176911.000001B739F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1641176911.000001B739F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: svchost.exe, 00000005.00000002.2544562363.0000021D48402000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                                Source: AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14D36000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachineX
                                Source: AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1640030677.000001B739E52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: AteraAgent.exe, 0000000A.00000002.1811264088.00000240464CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
                                Source: svchost.exe, 00000005.00000002.2545452491.0000021D4844B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: AgentPackageAgentInformation.exe, 00000015.00000002.1640955286.000001B739ED5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStoppedI|Servic
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A95E14 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,31_2_00007FF817A95E14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ADB9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,31_2_00007FF817ADB9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817AA1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,31_2_00007FF817AA1910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A97A84 GetProcessHeap,31_2_00007FF817A97A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe "C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe" --controlJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,31_2_00007FF817A9ACD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: page read and write | page guardJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="gearoid@pcsales.ie" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI=""Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "7f4bc6c6-59a6-4bc9-8598-c31d718ec694" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "4d4475cf-de40-427c-84dc-885cd4d49f26" agent-api.atera.com/Production 443 or8ixLi90Mf "identified"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "286bd9d8-353a-4b8d-9785-82c1528904e7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1770ba0d-887c-48bc-9dfe-81a93d31467b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjozLCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9wYWNrYWdlc3N0b3JlLmJsb2IuY29yZS53aW5kb3dzLm5ldC9pbnN0YWxsZXJzL0FueURlc2svQWdlbnRfQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSJ9"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 328987ae-dff2-409c-a138-b16d9739728b "8f1aa051-8e50-4815-abc3-1c6545289f2a" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1d3f044-b3ad-4477-a71b-e7adea6af624" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "56e78124-ff9e-4e29-ad5e-0209b83f61c7" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 328987ae-dff2-409c-a138-b16d9739728b "7cc0114f-d163-4617-a905-9a329cdf5945" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 328987ae-dff2-409c-a138-b16d9739728b "197104ea-9832-45bd-9a2f-8c3a39747567" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 328987ae-dff2-409c-a138-b16d9739728b "28e860a2-285e-4a91-9ed0-d2614790e752" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 328987ae-dff2-409c-a138-b16d9739728b "e4786dfd-8714-4cf5-9610-b4bc75778433" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1de39b7-f261-48cb-9dc4-629b89d8a751" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1d2acbd6-a090-4ad5-8aa2-025239e0beed" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ=="
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 328987ae-dff2-409c-a138-b16d9739728b "0b89ae87-0eed-4d02-93ce-0ff8d9af8844" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i "C:\Windows\TEMP\AnyDesk-CM.msi" /qn
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "7f4bc6c6-59a6-4bc9-8598-c31d718ec694" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "4d4475cf-de40-427c-84dc-885cd4d49f26" agent-api.atera.com/production 443 or8ixli90mf "identified"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "286bd9d8-353a-4b8d-9785-82c1528904e7" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1770ba0d-887c-48bc-9dfe-81a93d31467b" agent-api.atera.com/production 443 or8ixli90mf "eyjbzenvbw1hbmruexblijozlcjjbnn0ywxsyxrpb25gawxlvxjsijoiahr0chm6ly9wywnrywdlc3n0b3jllmjsb2iuy29yzs53aw5kb3dzlm5ldc9pbnn0ywxszxjzl0fueurlc2svqwdlbnrfqw55rgvza19ddxn0b21fq2xpzw50lm1zasj9"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1d3f044-b3ad-4477-a71b-e7adea6af624" agent-api.atera.com/production 443 or8ixli90mf "generalinfo"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 328987ae-dff2-409c-a138-b16d9739728b "7cc0114f-d163-4617-a905-9a329cdf5945" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageruntimeinstaller\agentpackageruntimeinstaller.exe" 328987ae-dff2-409c-a138-b16d9739728b "e4786dfd-8714-4cf5-9610-b4bc75778433" agent-api.atera.com/production 443 or8ixli90mf "eyjdb21tyw5ktmftzsi6imluc3rhbgxkb3ruzxqilcjeb3rozxrwzxjzaw9uijoini4wljmyiiwitwfjqvjnrg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3bylznimtfizdm4ltu4zmqtndc4my05zddmlwuxoguwnda5zmu2ys9hm2rmngm3zwjmzjhmyzjjnjdkn2m5zju1mthmyjdmzc9kb3ruzxqtcnvudgltzs02ljaumzitb3n4lwfybty0lnbrzyisik1hy1g2nervd25sb2fkvxjsijoiahr0chm6ly9kb3dubg9hzc52axn1ywxzdhvkaw8ubwljcm9zb2z0lmnvbs9kb3dubg9hzc9wci9hytbimwy3ms04zgzjltrimwitotuyns0ymjq5y2q0n2nkn2qvzwrkndjjm2yyymyxmtewnjczntvhztfkndu5ogzhntevzg90bmv0lxj1bnrpbwutni4wljmylw9zec14njqucgtniiwiv2luqvjnrg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3byl2i2zgiymjyxltqyodgtndc0zi04nzyyltrlzta2ymnimtiyny9logixndu4zwe5zjgyyjkwztyzymu4zmu4yjlmmjc3ns9kb3ruzxqtcnvudgltzs02ljaumzitd2lulwfybty0lmv4zsisildpblg2nervd25sb2fkvxjsijoiahr0chm6ly9kb3dubg9hzc52axn1ywxzdhvkaw8ubwljcm9zb2z0lmnvbs9kb3dubg9hzc9wci80nte1ywfhys1jn2q1ltqwymytyjdmzc1mndc2zdzlytnimwevyzu0nwvhotjkymq1mzc3ntnhzwziotm3ndc4zmq1mzivzg90bmv0lxj1bnrpbwutni4wljmylxdpbi14njquzxhliiwiv2luwdg2rg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3bylzq4zwrkztflltflogytngrini1ingrjlwm4odi1ntzkzge0yi8wodrhzjllntq2odzmnzbhogrhzwnlytjkmmziztjjyi9kb3ruzxqtcnvudgltzs02ljaumzitd2lulxg4ni5leguilcjnywnbuk1dagvja3n1bsi6imszrlzuuddfq25zuwditm92ztbvzmfvnxgzvfvhvdzkofk3tmfwbtzpzwpunxbpvxnozlcwczc1qkjhvur6t3hrnmxxl01bofjnm2pqtvfiai9eb3lrpt0ilcjnywnynjrdagvja3n1bsi6ijz2buxdevfpsnbrukftsdmxunryze9tsnfuqkzexhuwmdjcz1vgewxzn3hjsldvwmzcdtawmkjuc25wwwtrc2jiywv0txvucm8xawrmcdhsvnl6rje4nmflqunoskznut09iiwiv2luqvjnq2hly2tzdw0ioij3eg02bwxhzkdzwxpptmh4wvblsw85a3rbvkn0wc94mgvua0s0rjawuhjqmm9fsti3axfpnth2akfeohpitumwenrynnbbwwznb0hemxoyczyzcm5sqt09iiwiv2luwdy0q2hly2tzdw0ioii1ry9movhsm2j0r0zrcgfoahptdkvdcvnib3j1d0fhztzvdkk4azfnywfvb3nirmr5nk4xu3nhdfb2nepusus4umxpvutushu2nfzmthrcb1rwthfout09iiwiv2luwdg2q2hly2tzdw0ioijtzu51svx1mdayqkhmatm0l0jql1zkchfqb2faevzdy1zlvnnhqudtalc5dwjyeufrz3pkz2wws2xjnenut2ljz01mb2r4dvnvcu9sevrjbudzwmvgszlmbw1rpt0ilcjxb3jrc3bhy2vjzci6imjmmgnlndlkltc3y2ytndcyms1izjcwltu3njg2mzgzyzlhyiisikxvz05hbwuioijeb3rozxrsdw50aw1lsw5zdgfsbgf0aw9uumvwb3j0iiwiu2hhcmvks2v5ijoialvjuy9uounsvkrls3hzzzrvcjnhq2hov1f1y1k3ufz2d2cwekh1cupzy3juamprmkx3szzvamz1n2nbmk5wckfsmhivu1jbwepzwwxkuetlrnlls1e9psj9"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemarketplace\agentpackagemarketplace.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1de39b7-f261-48cb-9dc4-629b89d8a751" agent-api.atera.com/production 443 or8ixli90mf "agentprovision"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1d2acbd6-a090-4ad5-8aa2-025239e0beed" agent-api.atera.com/production 443 or8ixli90mf "eyjbzenvbw1hbmruexblijo1lcjjbnn0ywxsyxrpb25gawxlvxjsijoiahr0chm6ly9nzxquyw55zgvzay5jb20voenrc3u5a3yvqw55rgvza19ddxn0b21fq2xpzw50lm1zasisikzvcmnlsw5zdgfsbci6zmfsc2usilrhcmdldfzlcnnpb24ioiiifq=="
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "7f4bc6c6-59a6-4bc9-8598-c31d718ec694" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "4d4475cf-de40-427c-84dc-885cd4d49f26" agent-api.atera.com/production 443 or8ixli90mf "identified"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "286bd9d8-353a-4b8d-9785-82c1528904e7" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1770ba0d-887c-48bc-9dfe-81a93d31467b" agent-api.atera.com/production 443 or8ixli90mf "eyjbzenvbw1hbmruexblijozlcjjbnn0ywxsyxrpb25gawxlvxjsijoiahr0chm6ly9wywnrywdlc3n0b3jllmjsb2iuy29yzs53aw5kb3dzlm5ldc9pbnn0ywxszxjzl0fueurlc2svqwdlbnrfqw55rgvza19ddxn0b21fq2xpzw50lm1zasj9"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1d3f044-b3ad-4477-a71b-e7adea6af624" agent-api.atera.com/production 443 or8ixli90mf "generalinfo"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 328987ae-dff2-409c-a138-b16d9739728b "7cc0114f-d163-4617-a905-9a329cdf5945" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageruntimeinstaller\agentpackageruntimeinstaller.exe" 328987ae-dff2-409c-a138-b16d9739728b "e4786dfd-8714-4cf5-9610-b4bc75778433" agent-api.atera.com/production 443 or8ixli90mf "eyjdb21tyw5ktmftzsi6imluc3rhbgxkb3ruzxqilcjeb3rozxrwzxjzaw9uijoini4wljmyiiwitwfjqvjnrg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3bylznimtfizdm4ltu4zmqtndc4my05zddmlwuxoguwnda5zmu2ys9hm2rmngm3zwjmzjhmyzjjnjdkn2m5zju1mthmyjdmzc9kb3ruzxqtcnvudgltzs02ljaumzitb3n4lwfybty0lnbrzyisik1hy1g2nervd25sb2fkvxjsijoiahr0chm6ly9kb3dubg9hzc52axn1ywxzdhvkaw8ubwljcm9zb2z0lmnvbs9kb3dubg9hzc9wci9hytbimwy3ms04zgzjltrimwitotuyns0ymjq5y2q0n2nkn2qvzwrkndjjm2yyymyxmtewnjczntvhztfkndu5ogzhntevzg90bmv0lxj1bnrpbwutni4wljmylw9zec14njqucgtniiwiv2luqvjnrg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3byl2i2zgiymjyxltqyodgtndc0zi04nzyyltrlzta2ymnimtiyny9logixndu4zwe5zjgyyjkwztyzymu4zmu4yjlmmjc3ns9kb3ruzxqtcnvudgltzs02ljaumzitd2lulwfybty0lmv4zsisildpblg2nervd25sb2fkvxjsijoiahr0chm6ly9kb3dubg9hzc52axn1ywxzdhvkaw8ubwljcm9zb2z0lmnvbs9kb3dubg9hzc9wci80nte1ywfhys1jn2q1ltqwymytyjdmzc1mndc2zdzlytnimwevyzu0nwvhotjkymq1mzc3ntnhzwziotm3ndc4zmq1mzivzg90bmv0lxj1bnrpbwutni4wljmylxdpbi14njquzxhliiwiv2luwdg2rg93bmxvywrvcmwioijodhrwczovl2rvd25sb2fklnzpc3vhbhn0dwrpby5tawnyb3nvznquy29tl2rvd25sb2fkl3bylzq4zwrkztflltflogytngrini1ingrjlwm4odi1ntzkzge0yi8wodrhzjllntq2odzmnzbhogrhzwnlytjkmmziztjjyi9kb3ruzxqtcnvudgltzs02ljaumzitd2lulxg4ni5leguilcjnywnbuk1dagvja3n1bsi6imszrlzuuddfq25zuwditm92ztbvzmfvnxgzvfvhvdzkofk3tmfwbtzpzwpunxbpvxnozlcwczc1qkjhvur6t3hrnmxxl01bofjnm2pqtvfiai9eb3lrpt0ilcjnywnynjrdagvja3n1bsi6ijz2buxdevfpsnbrukftsdmxunryze9tsnfuqkzexhuwmdjcz1vgewxzn3hjsldvwmzcdtawmkjuc25wwwtrc2jiywv0txvucm8xawrmcdhsvnl6rje4nmflqunoskznut09iiwiv2luqvjnq2hly2tzdw0ioij3eg02bwxhzkdzwxpptmh4wvblsw85a3rbvkn0wc94mgvua0s0rjawuhjqmm9fsti3axfpnth2akfeohpitumwenrynnbbwwznb0hemxoyczyzcm5sqt09iiwiv2luwdy0q2hly2tzdw0ioii1ry9movhsm2j0r0zrcgfoahptdkvdcvnib3j1d0fhztzvdkk4azfnywfvb3nirmr5nk4xu3nhdfb2nepusus4umxpvutushu2nfzmthrcb1rwthfout09iiwiv2luwdg2q2hly2tzdw0ioijtzu51svx1mdayqkhmatm0l0jql1zkchfqb2faevzdy1zlvnnhqudtalc5dwjyeufrz3pkz2wws2xjnenut2ljz01mb2r4dvnvcu9sevrjbudzwmvgszlmbw1rpt0ilcjxb3jrc3bhy2vjzci6imjmmgnlndlkltc3y2ytndcyms1izjcwltu3njg2mzgzyzlhyiisikxvz05hbwuioijeb3rozxrsdw50aw1lsw5zdgfsbgf0aw9uumvwb3j0iiwiu2hhcmvks2v5ijoialvjuy9uounsvkrls3hzzzrvcjnhq2hov1f1y1k3ufz2d2cwekh1cupzy3juamprmkx3szzvamz1n2nbmk5wckfsmhivu1jbwepzwwxkuetlrnlls1e9psj9"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemarketplace\agentpackagemarketplace.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1de39b7-f261-48cb-9dc4-629b89d8a751" agent-api.atera.com/production 443 or8ixli90mf "agentprovision"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageadremote\agentpackageadremote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1d2acbd6-a090-4ad5-8aa2-025239e0beed" agent-api.atera.com/production 443 or8ixli90mf "eyjbzenvbw1hbmruexblijo1lcjjbnn0ywxsyxrpb25gawxlvxjsijoiahr0chm6ly9nzxquyw55zgvzay5jb20voenrc3u5a3yvqw55rgvza19ddxn0b21fq2xpzw50lm1zasisikzvcmnlsw5zdgfsbci6zmfsc2usilrhcmdldfzlcnnpb24ioiiifq=="
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9739C cpuid 31_2_00007FF817A9739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A9CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,31_2_00007FF817A9CC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817A985D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,31_2_00007FF817A985D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                Lowering of HIPS / PFW / Operating System Security Settings

                                barindex
                                Changes security center settings (notifications, updates, antivirus, firewall)
                                Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                                Source: svchost.exe, 00000008.00000002.2551024352.000001C5BD102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                                Source: svchost.exe, 00000008.00000002.2551024352.000001C5BD102000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                                Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81 BlobJump to behavior
                                Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 49.0.AgentPackageSystemTools.exe.11c773b0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 49.2.AgentPackageSystemTools.exe.11c77b90000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 31.2.AgentPackageMonitoring.exe.1cdf1b70000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 9.0.AteraAgent.exe.1f267be0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.2.AgentPackageMarketplace.exe.19356560000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 50.2.AgentPackageRuntimeInstaller.exe.1f265910000.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 50.0.AgentPackageRuntimeInstaller.exe.1f24c6f0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.AgentPackageUpgradeAgent.exe.1f368620000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.0.AgentPackageSTRemote.exe.2bfb0dc0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.AteraAgent.exe.2a000afefd8.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 28.2.AgentPackageADRemote.exe.1ba145d0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 31.0.AgentPackageMonitoring.exe.1cdf1200000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.AteraAgent.exe.2a000b31de8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 10.2.AteraAgent.exe.2402e3912e8.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 48.0.AgentPackageInternalPoller.exe.25910200000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.0.AgentPackageAgentInformation.exe.1b6aee90000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.AteraAgent.exe.2a000b16578.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 28.0.AgentPackageADRemote.exe.1ba14190000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 13.2.AgentPackageAgentInformation.exe.1b6af300000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 53.2.AgentPackageMarketplace.exe.19356430000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000000A.00000002.1741361683.000002402D60C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.1811224169.000001F4715B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1741226258.000002402D5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1548276807.000001CDF33B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1831401511.000002404689D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002D.00000002.1981618842.00000203A08B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2565001660.000001F24D685000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2546404498.000002BFB0E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1630021987.000001B720F0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.1849193858.0000011C77B92000.00000002.00000001.01000000.00000026.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.1621455728.000002A2A912D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1875519724.000002BAA5B13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2071700756.000001F3687A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B7218AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1876523126.0000019355CFD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2066046594.00000201F5460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1862633775.000002BAA5108000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1640288592.000001B739E7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1327425121.00007FF7C0BCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2548498978.000001F24C967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1559754160.00007FF817C29000.00000004.00000001.01000000.0000000D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1886184112.0000025910D4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1640544426.000001BA145D2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1542013724.000001CDF12F0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.1986641763.0000025F9E21B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1638646479.000001BA1438C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326829533.000001F267E51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E196000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000000.1789689253.0000011C773B2000.00000002.00000001.01000000.00000021.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2083569595.000002A06BCE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2107624213.000002A06D060000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1875519724.000002BAA5A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1862633775.000002BAA5182000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2546404498.000002BFB0E7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1876523126.0000019355CB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326829533.000001F267E53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2100308784.000002A06CC68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421801348.000001B6AF340000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1876523126.0000019355CBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2561158849.000001F24CB20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1641133212.000001BA14B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1915380437.0000025929530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1896358281.00000193567F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1874421073.00000259104B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2619058939.000002BFC9FD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2086765903.000001F368C95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2097698634.00000201F6511000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2560503274.000002BFB1808000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000000.1790153909.000001F24C6F2000.00000002.00000001.01000000.00000022.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.1556299859.000001FFDC82B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2548498978.000001F24C910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2548498978.000001F24C93D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402DED5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.1622807856.000002A2A9137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2546695135.000001F24C790000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1886184112.0000025910E13000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326388482.000001F20012F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2100308784.000002A06CD0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1831401511.00000240468C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2071700756.000001F368791000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.1458916018.0000028E1CEE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1874421073.00000259104FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2560503274.000002BFB19D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1880486743.0000025910554000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B721974000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2093412656.000002A06BFB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1741361683.000002402D639000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1638646479.000001BA143C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.1622327025.000002A2A9100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2559452797.000002BFB1120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2546404498.000002BFB0EB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B721D02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2086290764.00000201F646D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.1825247533.0000011C77582000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000003.1766662600.0000025F9E400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1875519724.000002BAA5E2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2565001660.000001F24D113000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.1459662383.0000028E1D160000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2066046594.00000201F549A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2630120856.000001F265850000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326388482.000001F200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326829533.000001F267E7D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000019.00000002.1554504889.0000021637B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2100308784.000002A06CC40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1542157242.000001CDF1430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1873907761.0000025910470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.1621515538.000002A2A9141000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2107624213.000002A06D103000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2085256356.00000201F6440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1640878216.000001BA14620000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B7219C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.1556299859.000001FFDC820000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421246310.000001B6AF137000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2066046594.00000201F547B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421661955.000001B6AF302000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1548174753.000001CDF33A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2113897333.00000201F66CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326388482.000001F20007C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2100308784.000002A06CD38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1893205305.0000019356432000.00000002.00000001.01000000.0000002D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1542066814.000001CDF13F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1638646479.000001BA143AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2013736771.0000020180047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000003.1621569040.000002A2A9136000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1905015814.000002BABE1B5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2107624213.000002A06D0B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2083569595.000002A06BD52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2029187628.000001F300276000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1886184112.0000025910E0B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2071700756.000001F3687DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1831401511.0000024046855000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421246310.000001B6AF19F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1641133212.000001BA14CBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.1988799254.0000025F9E3E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.1556299859.000001FFDC843000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.1846748951.0000011C776A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.1458916018.0000028E1CEE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1641133212.000001BA14D36000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2565001660.000001F24D157000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1874241795.000002BAA5400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2013736771.0000020180083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1632466581.000001B721270000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2071700756.000001F36875C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2029187628.000001F300285000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2100308784.000002A06CCE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1915380437.00000259295A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1883438305.00000259106D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1886184112.0000025910E15000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2619058939.000002BFCA03F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.1622327025.000002A2A910B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.1825247533.0000011C77540000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2560503274.000002BFB18C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1641133212.000001BA14BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1924563744.000001936ED9F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.1769476624.000001F368622000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1630021987.000001B720FD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000003.1461221162.000001FFDC960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1905015814.000002BABE150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2029187628.000001F300180000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2013736771.00000201801D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326388482.000001F200134000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2565001660.000001F24D0B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2637942073.000001F265912000.00000002.00000001.01000000.0000004E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2565001660.000001F24D619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1741361683.000002402D5D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1327216526.000001F26A083000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1542157242.000001CDF14BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000000.1471696821.000001BA14192000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2029187628.000001F30010F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1831401511.0000024046885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1895211057.0000019356562000.00000002.00000001.01000000.0000002F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2548498978.000001F24C95A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2107624213.000002A06D0DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2083569595.000002A06BD22000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421997857.000001B6AF851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1831401511.00000240468F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1630021987.000001B720F78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421246310.000001B6AF130000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1876523126.0000019355CF1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000C08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1875519724.000002BAA5C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1651206396.000001BA2D230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.1811224169.000001F4715BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1739888226.0000009BBB9E4000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1876523126.0000019355D3D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326737224.000001F267D90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2092194234.000001F3698A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2092194234.000001F369810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1741361683.000002402D673000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2107624213.000002A06D0B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1876523126.0000019355D92000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1545077246.000001CDF23B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000F86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2083569595.000002A06BD1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1896358281.0000019356912000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2066046594.00000201F54E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421201415.000001B6AF11C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A00108C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000022.00000002.1622891925.000002A2A9142000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2548498978.000001F24C91E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.1986641763.0000025F9E234000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2630120856.000001F2657D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1873907761.000002591047C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1896358281.0000019356869000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1876523126.0000019355CD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1640030677.000001B739E52000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E537000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1886184112.0000025910BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.1808902733.0000011C00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326388482.000001F200131000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2565001660.000001F24D69A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1920186276.00000259295E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2085850803.000001F368AA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2089050866.00000201F6479000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000029.00000002.1986641763.0000025F9E210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1644522191.000001B73A2FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1651206396.000001BA2D2ED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2546404498.000002BFB0EB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2565001660.000001F24D690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1886184112.0000025910E17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1630021987.000001B720F31000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326829533.000001F267E16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1886184112.0000025910BEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326388482.000001F2000B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2107624213.000002A06D08B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2013736771.0000020180001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421201415.000001B6AF110000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2541868230.000000FD30CF1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1862633775.000002BAA5100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000017.00000002.1556449027.000001FFDC940000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A00028B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2546404498.000002BFB0F67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1542157242.000001CDF1472000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.1825247533.0000011C775CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1630021987.000001B720EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B721905000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1920228519.000000EBA39E4000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1641133212.000001BA15006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1641133212.000001BA14F82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2548498978.000001F24C9A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1638646479.000001BA1440F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B7217E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1538211245.000001CD80001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1744392039.000002402E418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421997857.000001B6AF8D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2029187628.000001F300001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1924563744.000001936ED30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1741361683.000002402D5F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A001008000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.1458916018.0000028E1CF68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2560503274.000002BFB1791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1905015814.000002BABE168000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.1825247533.0000011C7754C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000000.1776907358.0000025910202000.00000002.00000001.01000000.00000020.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2071700756.000001F368750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1651206396.000001BA2D2B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1544311162.000001CDF1B72000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1887837216.0000019355EF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1548150822.000001CDF31A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2100308784.000002A06CCCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001C.00000002.1638646479.000001BA14380000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000000.1766391573.000002BFB0DC2000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1811264088.00000240464CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1875519724.000002BAA5BDD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2541404315.0000007544FF0000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.1421246310.000001B6AF153000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1542157242.000001CDF147C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.1862633775.000002BAA513B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A0002D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2548498978.000001F24C926000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1630021987.000001B720F2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1741048617.000002402D440000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2107624213.000002A06D0C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326829533.000001F267E10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000E70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2546404498.000002BFB0EFB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2078566612.000002A06BC80000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1874421073.0000025910491000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000027.00000002.2078485727.00000201F5600000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.1458916018.0000028E1CF1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2029187628.000001F300126000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1542157242.000001CDF143C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.1930726295.000002A000B64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1542157242.000001CDF151A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.1459760921.0000028E1D6D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1548352968.000001CDF34D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000000.1308365620.000001F267BE2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000A.00000002.1741361683.000002402D5D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000035.00000002.1896358281.0000019356671000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1538211245.000001CD805A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000015.00000002.1633030598.000001B721751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000030.00000002.1886184112.0000025910BF0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000F.00000002.1459760921.0000028E1D651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000032.00000002.2565001660.000001F24D1ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7924, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 8036, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6608, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7276, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7268, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 8128, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7032, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 2348, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageADRemote.exe PID: 2832, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 2800, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 3852, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 1128, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: Agent.Package.Availability.exe PID: 4844, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Windows\Installer\MSI9AE3.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFC36A7348E90ED6B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFBC50EC9FCD8D654.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFAF2CCBFA9D5D1553.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIBBD8.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA786ED6563BB7942.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB35E1D2CB7B8B02E.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF02D57BAE8B0907B3.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\67ba7b.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\67ba81.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB32B39B2AAA6C1DA.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF868EC19AE7A8B005.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF0114A7EAEF71480F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD312689799DC7A0C.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF5F8D2BCC61A473AD.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA5242E6744A4A813.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF16E97591AF9E57D7.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFEC7BFDF0396EF13B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF24648D54C9A5BE6D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFF278558ADD9E957.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA168B4CCF1176679.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD3F1F486E5A9F00D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7884A5394D9052ED.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF97EB4D6205F239D3.TMP, type: DROPPED
                                Source: Yara matchFile source: \Device\ConDrv, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF70777B487D973BA8.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF211203521E827CF4.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240904084103_001_dotnet_hostfxr_6.0.32_win_x64.msi.log, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIC476.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF7ABD191A9525A9AA.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\67ba72.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF655A74B9BA445056.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF84BE7EE8B38FA38A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDD0A695386F05727.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF2C6998768CD931A6.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF769902E7494E7123.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1C011ABA9B3071CE.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4ED24C8238DCF176.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF3AAD9A74C126CA8A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFB179B7CBB51DF02E.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF573D81CD81747E6.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFAFEA10D23247A300.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDEE8C20B33D20C5D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFD3B8D326BBEE075A.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240904084103_000_dotnet_runtime_6.0.32_win_x64.msi.log, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 31_2_00007FF817ADB9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,31_2_00007FF817ADB9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		541
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		121
                                Disable or Modify Tools                                		1
                                Input Capture                                		2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		22
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop Protocol1
                                Input Capture                                		Junk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts11
                                Command and Scripting Interpreter                                		22
                                Windows Service                                		11
                                Process Injection                                		41
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		121
                                Software Packing                                		NTDS175
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts1
                                Service Execution                                		2
                                Registry Run Keys / Startup Folder                                		2
                                Registry Run Keys / Startup Folder                                		1
                                Timestomp                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                DLL Side-Loading                                		Cached Domain Credentials6101
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                File Deletion                                		DCSync11
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job133
                                Masquerading                                		Proc Filesystem481
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt481
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1504095 Sample: SecuriteInfo.com.Program.Re... Startdate: 04/09/2024 Architecture: WINDOWS Score: 100 124 Detected unpacking (changes PE section rights) 2->124 126 Yara detected AteraAgent 2->126 128 Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines) 2->128 130 8 other signatures 2->130 8 msiexec.exe 501 952 2->8         started        12 AteraAgent.exe 2->12         started        14 AteraAgent.exe 25 60 2->14         started        17 9 other processes 2->17 process3 dnsIp4 84 C:\Program Files\dotnet\...\netstandard.dll, PE32 8->84 dropped 86 C:\Program Files\dotnet\shared\...\System.dll, PE32 8->86 dropped 88 C:\Program Files\dotnet\...\System.Net.dll, PE32 8->88 dropped 96 482 other files (74 malicious) 8->96 dropped 138 Sample is not signed and drops a device driver 8->138 19 AteraAgent.exe 3 6 8->19         started        34 3 other processes 8->34 90 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 12->90 dropped 92 C:\...\AgentPackageUpgradeAgent.exe, PE32 12->92 dropped 94 C:\Program Files (x86)\...\UserDetections.dll, PE32 12->94 dropped 98 315 other files (38 malicious) 12->98 dropped 140 Installs Task Scheduler Managed Wrapper 12->140 142 Very long command line found 12->142 23 AgentPackageUpgradeAgent.exe 12->23         started        25 AgentPackageInternalPoller.exe 12->25         started        36 8 other processes 12->36 112 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->112 114 13.35.58.59 AMAZON-02US United States 14->114 116 35.157.63.229 AMAZON-02US United States 14->116 100 44 other files (13 malicious) 14->100 dropped 144 Reads the Security eventlog 14->144 146 Reads the System eventlog 14->146 27 AgentPackageADRemote.exe 14->27         started        30 AgentPackageAgentInformation.exe 14->30         started        32 AgentPackageMonitoring.exe 14->32         started        38 3 other processes 14->38 118 64.31.23.26 LIMESTONENETWORKSUS United States 17->118 120 15.235.218.149 HP-INTERNET-ASUS United States 17->120 122 239.255.102.18 unknown Reserved 17->122 148 Query firmware table information (likely to detect VMs) 17->148 150 Changes security center settings (notifications, updates, antivirus, firewall) 17->150 file5 signatures6 process7 dnsIp8 66 C:\Windows\System32\InstallUtil.InstallLog, Unicode 19->66 dropped 68 C:\...\AteraAgent.InstallLog, Unicode 19->68 dropped 132 Reads the Security eventlog 19->132 134 Reads the System eventlog 19->134 70 C:\Program Files (x86)\...\AteraAgent.exe, PE32 23->70 dropped 72 C:\...\AteraAgent.InstallLog, Unicode 23->72 dropped 74 C:\...\PubNub-Messaging.dll, PE32 23->74 dropped 82 2 other files (none is malicious) 23->82 dropped 136 Creates files in the system32 config directory 23->136 40 conhost.exe 23->40         started        42 conhost.exe 25->42         started        102 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->102 52 2 other processes 27->52 44 conhost.exe 30->44         started        46 conhost.exe 32->46         started        104 199.232.210.172 FASTLYUS United States 36->104 106 52.223.39.232 AMAZONEXPANSIONGB United States 36->106 108 3.164.68.14 AMAZON-02US United States 36->108 76 C:\Program Files (x86)\...\6-0-32.exe, PE32 36->76 dropped 78 \Device\ConDrv, ASCII 36->78 dropped 80 C:\Windows\Temp\SplashtopStreamer.exe, PE32 36->80 dropped 48 cmd.exe 36->48         started        54 8 other processes 36->54 110 20.37.139.187 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 38->110 50 cmd.exe 38->50         started        56 3 other processes 38->56 file9 signatures10 process11 process12 58 conhost.exe 48->58         started        60 cscript.exe 48->60         started        62 conhost.exe 50->62         started        64 cscript.exe 50->64         started       

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi11%ReversingLabs

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                67ba7c.rbf (copy)5%ReversingLabs
                                67ba7e.rbf (copy)0%ReversingLabs
                                67ba7f.rbf (copy)0%ReversingLabs
                                67ba80.rbf (copy)4%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe5%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://standards.iso.org/iso/19770/-2/2009/schema.xsd0%URL Reputationsafe
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                                http://www.openssl.org/support/faq.html0%URL Reputationsafe
                                http://www.w3.o0%URL Reputationsafe
                                http://schemas.datacontract.org0%Avira URL Cloudsafe
                                http://dl.google.com/googletalk/googletalk-setup.exe0%Avira URL Cloudsafe
                                https://anydesk.com/update0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.1/AgentPackageSTRemote.zip?pGaRIyGOK0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.1/AgentPackageMarketplace.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip0%Avira URL Cloudsafe
                                https://nlog-project.org/0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zip0%Avira URL Cloudsafe
                                https://help.anydesk.com/macos-security0%Avira URL Cloudsafe
                                https://datatracker.ietf.org/ipr/1526/0%Avira URL Cloudsafe
                                http://schemas.datacontract.org/2004/07/System.ServiceProcess0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati0%Avira URL Cloudsafe
                                https://policies.google.com/privacy?hl=$0%Avira URL Cloudsafe
                                http://acontrol.atera.com/0%Avira URL Cloudsafe
                                https://help.anydesk.com/0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/dynamic-fields/0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE0%Avira URL Cloudsafe
                                https://my.anydesk.com/download/8CQsu9kv/AnyDesk_Custom_Client.msi0%Avira URL Cloudsafe
                                https://my.anydesk.com/download/8CQsu9kv/AnyDesk_Custom_Client.msiJ0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery0%Avira URL Cloudsafe
                                https://help.anydesk.com/error-messages0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?pGaRI0%Avira URL Cloudsafe
                                https://help.anydesk.com/wol0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zip0%Avira URL Cloudsafe
                                https://agent-api.atera.com0%Avira URL Cloudsafe
                                https://www.nuget.org/packages/NLog.Web.AspNetCore0%Avira URL Cloudsafe
                                http://www.w3.oh0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip0%Avira URL Cloudsafe
                                http://support.anydesk.com0%Avira URL Cloudsafe
                                https://datatracker.ietf.org/ipr/1524/0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/thresholds/328987ae-dff2-409c-a138-b16d9739728b0%Avira URL Cloudsafe
                                http://nlog-project.org/ws/0%Avira URL Cloudsafe
                                https://anydesk.com/company#imprint0%Avira URL Cloudsafe
                                http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT0%Avira URL Cloudsafe
                                https://anydesk.com/ti0%Avira URL Cloudsafe
                                https://urn.to/r/sds_see0%Avira URL Cloudsafe
                                http://www.openssl.org/)0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?pGaRIyGOKx0%Avira URL Cloudsafe
                                https://ps.atera.com/a0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/thresholds/328987ae-dff2-409c-a138-b16d9739728bx0%Avira URL Cloudsafe
                                https://support.anydesk.com/0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?pGa0%Avira URL Cloudsafe
                                https://my.anydesk.com0%Avira URL Cloudsafe
                                https://system.data.sqlite.org/X0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/recurringCommandResult0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.90%Avira URL Cloudsafe
                                http://www.abit.com.tw/0%Avira URL Cloudsafe
                                https://github.com/dotnet/runtime0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/AcknowledgeCommands0%Avira URL Cloudsafe
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGETICKETING/28.2/AGENTPACKAGETICKETING.ZIP0%Avira URL Cloudsafe
                                https://agent-api.P0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation0%Avira URL Cloudsafe
                                https://github.com/JamesNK/Newtonsoft.Json0%Avira URL Cloudsafe
                                https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e39580%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/26.7/AgentPackageUpgradeAgent.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?p0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip0%Avira URL Cloudsafe
                                https://github.com/dotnet/runtime/issues/73124.0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip0%Avira URL Cloudsafe
                                http://www.anydesk.com/0%Avira URL Cloudsafe
                                https://ps.pndsn0%Avira URL Cloudsafe
                                https://www.sqlite.org/copyright.html20%Avira URL Cloudsafe
                                https://console-ui.myanydesk2.on.anydesk.com0%Avira URL Cloudsafe
                                https://github.com/dotnet/roslyn/issues/466460%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/23.9/AgentPackageProgramManage0%Avira URL Cloudsafe
                                https://agent-api.atera.com/Production/Agent/guiComm0%Avira URL Cloudsafe
                                https://ps.pndsn.com/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/328987ae-dff2-409c-a138-b10%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z0%Avira URL Cloudsafe
                                https://system.data.sqlite.org/0%Avira URL Cloudsafe
                                https://help.anydesk.com/HelpLinkInstallLocationAnyDesk0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?pGaRIy0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip0%Avira URL Cloudsafe
                                https://order.anydesk.com/trial0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentIn0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.2/AgentPackageTicketing.zip?pGaRIyG0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zip0%Avira URL Cloudsafe
                                https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip0%Avira URL Cloudsafe
                                https://anydesk.com/0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/22.1/AgentPackageSTRemote.zip?pGaRIyGOKAteraAgent.exe, 00000012.00000002.1930726295.000002A00028B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.orgAteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageMarketplace/1.1/AgentPackageMarketplace.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://anydesk.com/updateAnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageInternalPoller/15.9/AgentPackageInternalPoller.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageUpgradeAgent/22.1/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://nlog-project.org/AgentPackageMonitoring.exe, 0000001F.00000002.1546962458.000001CDF26B8000.00000002.00000001.01000000.00000013.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://dl.google.com/googletalk/googletalk-setup.exeAgentPackageAgentInformation.exe, 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIPAteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://standards.iso.org/iso/19770/-2/2009/schema.xsdsvchost.exe, 00000007.00000002.2545047058.000002AA1E887000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2545858532.000002AA1F118000.00000004.00000020.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://datatracker.ietf.org/ipr/1526/AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://policies.google.com/privacy?hl=$AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://help.anydesk.com/macos-securityAnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIPAteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformatiAteraAgent.exe, 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DED5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEC0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://acontrol.atera.com/AteraAgent.exe, 00000009.00000000.1308365620.000001F267BE2000.00000002.00000001.01000000.00000004.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000000D.00000002.1421997857.000001B6AF8D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721751000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA14F00000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://my.anydesk.com/download/8CQsu9kv/AnyDesk_Custom_Client.msiAnyDesk-f45e5af2_msi.exe, 00000024.00000002.2559861044.00000000016A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://help.anydesk.com/AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://my.anydesk.com/download/8CQsu9kv/AnyDesk_Custom_Client.msiJAnyDesk-f45e5af2_msi.exe, 00000024.00000002.2564926088.00000000020D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://help.anydesk.com/error-messagesAnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?pGaRIAteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://help.anydesk.com/wolAnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageHeartbeat/17.11/AgentPackageHeartbeat.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.comAteraAgent.exe, 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000000D.00000002.1421997857.000001B6AF8D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721751000.00000004.00000800.00020000.00000000.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1641133212.000001BA15006000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 0000001F.00000002.1546962458.000001CDF26B8000.00000002.00000001.01000000.00000013.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.w3.ohAteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://support.anydesk.comAnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/thresholds/328987ae-dff2-409c-a138-b16d9739728bAgentPackageMonitoring.exe, 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://datatracker.ietf.org/ipr/1524/AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nlog-project.org/ws/AgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://anydesk.com/company#imprintAnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 0000001F.00000002.1546139529.000001CDF25E2000.00000002.00000001.01000000.00000013.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/aAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 0000001F.00000002.1547589739.000001CDF2782000.00000002.00000001.01000000.00000015.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.openssl.org/)AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://anydesk.com/tiAnyDesk-f45e5af2_msi.exe, 00000025.00000003.1632400515.000000000336D000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.zAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?pGaRIyGOKxAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://support.anydesk.com/AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/thresholds/328987ae-dff2-409c-a138-b16d9739728bxAgentPackageMonitoring.exe, 0000001F.00000002.1548352968.000001CDF3490000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.8/AgentPackageSystemTools.zip?pGaAteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://system.data.sqlite.org/XAgentPackageMonitoring.exe, 0000001F.00000002.1548081777.000001CDF27E4000.00000002.00000001.01000000.00000015.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://my.anydesk.comAnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.abit.com.tw/AgentPackageMonitoring.exe, 0000001F.00000002.1544896951.000001CDF2362000.00000002.00000001.01000000.00000010.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/recurringCommandResultAgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIPAteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.openssl.org/support/faq.htmlAnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://github.com/dotnet/runtimeAteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEB0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://agent-api.PAgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B7219C1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGETICKETING/28.2/AGENTPACKAGETICKETING.ZIPAteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.w3.oAteraAgent.exe, 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformationAteraAgent.exe, 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/AgentPackageUpgradeAgent/26.7/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/JamesNK/Newtonsoft.JsonAgentPackageAgentInformation.exe, 0000000D.00000002.1422557905.000001B6C7FC2000.00000002.00000001.01000000.0000000A.sdmp, AgentPackageADRemote.exe, 0000001C.00000002.1652885949.000001BA2D520000.00000002.00000001.01000000.0000001C.sdmp, AgentPackageMonitoring.exe, 0000001F.00000002.1547016268.000001CDF26C2000.00000002.00000001.01000000.00000014.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?pAteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dotnet/corefx/tree/32b491939fbd125f304031c35038b1e14b4e3958AteraAgent.exe, 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000057000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackageswin/AgentPackageMarketplace/13.0/AgentPackageMarketplace.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dotnet/runtime/issues/73124.AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.pndsnAteraAgent.exe, 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E11B000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.anydesk.com/AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.sqlite.org/copyright.html2AgentPackageMonitoring.exe, 0000001F.00000002.1559899567.00007FF817C34000.00000002.00000001.01000000.0000000D.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/23.9/AgentPackageProgramManageAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A0002D0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://console-ui.myanydesk2.on.anydesk.comAnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://github.com/dotnet/roslyn/issues/46646AteraAgent.exe, 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIPAteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://agent-api.atera.com/Production/Agent/guiCommAgentPackageAgentInformation.exe, 00000015.00000002.1633030598.000001B7219C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.pndsn.com/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/328987ae-dff2-409c-a138-b1AteraAgent.exe, 0000000A.00000002.1744392039.000002402E11B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A0000B0000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://help.anydesk.com/HelpLinkInstallLocationAnyDeskAnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000227C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000002295000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?pGaRIyAteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.zAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://system.data.sqlite.org/AgentPackageMonitoring.exe, 0000001F.00000002.1547589739.000001CDF2782000.00000002.00000001.01000000.00000015.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://order.anydesk.com/trialAnyDesk-f45e5af2_msi.exe, 00000024.00000003.1596910970.000000000187C000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000024.00000002.2550654378.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1624983812.0000000001895000.00000004.00000020.00020000.00000000.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000002.2550757498.000000000080D000.00000002.00000001.01000000.00000017.sdmp, AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentInAteraAgent.exe, 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DEC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesmac/AgentPackageInternalPoller/13.0/AgentPackageInternalPoller.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/28.2/AgentPackageTicketing.zip?pGaRIyGAteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesmac/AgentPackageOsUpdates/19.4/AgentPackageOsUpdates.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000A.00000002.1744392039.000002402E163000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://anydesk.com/AnyDesk-f45e5af2_msi.exe, 00000025.00000003.1631628497.00000000032B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    40.119.152.241
                                    		unknownUnited States
                                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                    15.235.218.149
                                    		unknownUnited States
                                    		71HP-INTERNET-ASUSfalse
                                    13.35.58.59
                                    		unknownUnited States
                                    		16509AMAZON-02USfalse
                                    35.157.63.229
                                    		unknownUnited States
                                    		16509AMAZON-02USfalse
                                    20.37.139.187
                                    		unknownUnited States
                                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                    3.164.68.14
                                    		unknownUnited States
                                    		16509AMAZON-02USfalse
                                    64.31.23.26
                                    		unknownUnited States
                                    		46475LIMESTONENETWORKSUSfalse
                                    20.60.197.1
                                    		unknownUnited States
                                    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                    199.232.210.172
                                    		unknownUnited States
                                    		54113FASTLYUSfalse
                                    239.255.102.18
                                    		unknownReserved
                                    		unknownunknownfalse
                                    52.223.39.232
                                    		unknownUnited States
                                    		8987AMAZONEXPANSIONGBfalse

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1504095
                                    Start date and time:2024-09-04 14:38:50 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 13m 34s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:76
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi
                                    Detection:MAL
                                    Classification:mal100.rans.troj.spyw.evad.winMSI@100/1157@0/11
                                    EGA Information:
                                    • Successful, ratio: 37.5%
                                    HCA Information:
                                    • Successful, ratio: 62%
                                    • Number of executed functions: 329
                                    • Number of non-executed functions: 6
                                    Cookbook Comments:
                                    • Found application associated with file extension: .msi

                                    Warnings

                                    • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe
                                    • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 6608 because it is empty
                                    • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7276 because it is empty
                                    • Execution Graph export aborted for target AteraAgent.exe, PID 7268 because it is empty
                                    • Execution Graph export aborted for target AteraAgent.exe, PID 7924 because it is empty
                                    • Execution Graph export aborted for target AteraAgent.exe, PID 8036 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                    • Report size getting too big, too many NtOpenFile calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                    • Report size getting too big, too many NtSetValueKey calls found.
                                    • Report size getting too big, too many NtWriteFile calls found.
                                    • Skipping network analysis since amount of network traffic is too extensive
                                    • VT rate limit hit for: SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    08:39:48API Interceptor409x Sleep call for process: AteraAgent.exe modified
                                    08:39:56API Interceptor32x Sleep call for process: AgentPackageAgentInformation.exe modified
                                    08:40:05API Interceptor16x Sleep call for process: AgentPackageMonitoring.exe modified
                                    08:40:16API Interceptor13x Sleep call for process: AgentPackageADRemote.exe modified
                                    08:40:17API Interceptor1x Sleep call for process: AnyDesk-f45e5af2_msi.exe modified
                                    08:40:37API Interceptor19x Sleep call for process: AgentPackageMarketplace.exe modified
                                    08:40:37API Interceptor10561x Sleep call for process: AgentPackageSTRemote.exe modified
                                    08:40:39API Interceptor23x Sleep call for process: AgentPackageRuntimeInstaller.exe modified
                                    08:40:56API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                    14:40:35Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun
                                    14:41:06AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {ff783edd-4e4e-491d-9d9c-72f3aa70cedf} "C:\ProgramData\Package Cache\{ff783edd-4e4e-491d-9d9c-72f3aa70cedf}\dotnet-runtime-6.0.32-win-x64.exe" /burn.runonce
                                    14:41:34Task SchedulerRun new task: AteraAgentServiceWatchdog path: C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe s>eyJBZ2VudElkIjoiMzI4OTg3YWUtZGZmMi00MDljLWExMzgtYjE2ZDk3Mzk3MjhiIiwiQ29tbWFuZElkIjoiNGViOGIzYWUtM2ExZS00YzdiLWE3ZjMtODg0ZGIyNzIxODk4IiwiQWNjb3VudElkIjpudWxsLCJBZ2VudEFwaUhvc3QiOiJhZ2VudC1hcGkuYXRlcmEuY29tL1Byb2R1Y3Rpb24iLCJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIyaGVhbHRoY2hlY2tcdTAwMjJ9IiwiQWdlbnREaXJlY3RvcnkiOiIifQ==

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    40.119.152.241Y3Wvl9aYAU.cmdGet hashmaliciousAteraAgentBrowse
                                      SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiGet hashmaliciousAteraAgentBrowse
                                        SecuriteInfo.com.Program.RemoteAdminNET.1.7216.330.msiGet hashmaliciousAteraAgentBrowse
                                          4PP--0001S4D8S_DANFE000S1AS4SD5555522A1111.msiGet hashmaliciousAteraAgentBrowse
                                            setup_it_security (1).msiGet hashmaliciousAteraAgentBrowse
                                              SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                                Adobe.msiGet hashmaliciousAteraAgentBrowse
                                                  SecuriteInfo.com.Program.RemoteAdminNET.1.29844.msiGet hashmaliciousGhostRatBrowse
                                                    VirginMediaBill26012020.msiGet hashmaliciousGhostRatBrowse
                                                      cqIMFiGPGW.msiGet hashmaliciousUnknownBrowse
                                                        35.157.63.229Y3Wvl9aYAU.cmdGet hashmaliciousAteraAgentBrowse
                                                          Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                            SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msiGet hashmaliciousAteraAgentBrowse
                                                              Adobe.msiGet hashmaliciousAteraAgentBrowse
                                                                2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                  SecuriteInfo.com.Program.RemoteAdminNET.1.29844.msiGet hashmaliciousGhostRatBrowse
                                                                    VirginMediaBill26012020.msiGet hashmaliciousGhostRatBrowse
                                                                      cqIMFiGPGW.msiGet hashmaliciousUnknownBrowse
                                                                        setup.msiGet hashmaliciousUnknownBrowse
                                                                          1.msiGet hashmaliciousUnknownBrowse
                                                                            20.37.139.187Y3Wvl9aYAU.cmdGet hashmaliciousAteraAgentBrowse
                                                                              SecuriteInfo.com.Program.RemoteAdminNET.1.15125.10364.msiGet hashmaliciousAteraAgentBrowse
                                                                                AdobeAcrobat2.1.2.msiGet hashmaliciousAteraAgentBrowse
                                                                                  440e4d.msiGet hashmaliciousAteraAgentBrowse
                                                                                    digitalform.msiGet hashmaliciousAteraAgentBrowse
                                                                                      https://ws.onehub.com/files/jgt2zodjGet hashmaliciousAteraAgentBrowse
                                                                                        SecuriteInfo.com.Program.RemoteAdminNET.1.9196.7480.msiGet hashmaliciousUnknownBrowse
                                                                                          SecuriteInfo.com.Program.RemoteAdminNET.1.5343.8667.msiGet hashmaliciousUnknownBrowse
                                                                                            64.31.23.26SysrI6zSkJ.exeGet hashmaliciousRedLineBrowse
                                                                                              https://download.anydesk.com/AnyDesk.exeGet hashmaliciousUnknownBrowse
                                                                                                anydesk.exeGet hashmaliciousUnknownBrowse

                                                                                                  Domains

                                                                                                  No context

                                                                                                  ASNs

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                  AMAZON-02UShttp://accounts.aptia365.comGet hashmaliciousUnknownBrowse
                                                                                                  • 52.27.112.63
                                                                                                  BrowserRecovery.exeGet hashmaliciousZTratBrowse
                                                                                                  • 3.132.159.158
                                                                                                  Dropper.batGet hashmaliciousLockBit ransomwareBrowse
                                                                                                  • 76.76.21.142
                                                                                                  https://ynjac.com/click?redirect=http%3A%2F%2Fwww.KineticAgency.com&dID=1724778304747&hashId=404941f7b6ec62dc57c0bc5f930858f35215fdf2f3368224f3526a5023c4bc3ded39&linkName=www.KineticAgency.comGet hashmaliciousUnknownBrowse
                                                                                                  • 18.239.69.26
                                                                                                  https://thelearningexperience.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 3.164.206.12
                                                                                                  PDPUOIE76867 PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 13.248.169.48
                                                                                                  https://onedrive.live.com/view.aspx?resid=7AEF24C2ECCBD3A%21123&authkey=!ABehDrl0wDeSrDgGet hashmaliciousUnknownBrowse
                                                                                                  • 3.164.68.65
                                                                                                  Keyser & Mackay.pdfGet hashmaliciousUnknownBrowse
                                                                                                  • 18.239.69.21
                                                                                                  AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 54.67.87.110
                                                                                                  https://www.qrcreator.com/qr/1CFCF746Get hashmaliciousPhisherBrowse
                                                                                                  • 18.245.175.80
                                                                                                  HP-INTERNET-ASUShttps://wzi.xwi.mybluehost.me/servizi/brt/Get hashmaliciousUnknownBrowse
                                                                                                  • 15.204.22.185
                                                                                                  https://psr22kzz.r.us-gov-west-1.awstrack.me/L0/https:%2F%2Femp.eduyield.com%2Fel%3Faid=28gedda0e6c-1865-11ef-80aa-0217a07992df%26rid=33766156%26pid=771868%26cid=497%26dest=google.com.%2F%2F%2F%2Famp%2Fs%2Fthaiphong.com.vn%2F.dev%2FAB5lJGVc%2FdGh1eW5oQHZlY3RyYS5haQ==$%25C3%25A3%25E2%2582%25AC%25E2%2580%259A/1/010a0191a48a95df-72d17fe9-e949-4ffe-a067-f4e30ca6557e-000000/3uT0yFUer9bmcQWFh2O3pt3t9s8=1Get hashmaliciousUnknownBrowse
                                                                                                  • 15.205.59.147
                                                                                                  FW+New+documents+have+been+shared+with+you+in+OceanFront+Investment+Counsel+Inc..emlGet hashmaliciousUnknownBrowse
                                                                                                  • 15.156.203.124
                                                                                                  M2aWOsEfhq.dllGet hashmaliciousRHADAMANTHYSBrowse
                                                                                                  • 15.235.176.166
                                                                                                  https://google.mg/url?hl=en&q=https://google.nr/url?q=Gl7qws6TcZ&rct=4214&sa=t&esrc=vax&source=Gl7qws6TcZ&cd=Nzpn8b&cad=Gl7qws6TcZD5&ved=Gl7qws6TcZ84214G&uact=82299&url=amp%2Fgoogle.com.pg/amp/cli.re/rp5Y1r#YW5kcmV3QGhlZWRkaWdpdGFsbWVkaWEuY29t%2F&opi=256371986142&usg=lxfGUQNysmkDx&source=gmail&ust=5108318229914681&usg=AOGl7qws6TcZjng81rOWFwZGl7qws6TcZqR81Get hashmaliciousHTMLPhisherBrowse
                                                                                                  • 15.204.57.67
                                                                                                  oothgirl.docGet hashmaliciousRemcosBrowse
                                                                                                  • 15.235.47.55
                                                                                                  M12_20240821_0.xlsGet hashmaliciousRemcosBrowse
                                                                                                  • 15.235.47.55
                                                                                                  53QoH91Zg3.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 15.204.142.37
                                                                                                  https://therupdatingsresrtiuujh-vercel-app.translate.goog/?b=Z2FicmllbGEuZGFtYWN1c0BiYnJhdW4uY29t&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wappGet hashmaliciousUnknownBrowse
                                                                                                  • 15.204.22.185
                                                                                                  https://therupdatingsresrtiuujh-vercel-app.translate.goog/?b=bHJhLnJvQGJicmF1bi5jb20=&_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en&_x_tr_pto=wappGet hashmaliciousUnknownBrowse
                                                                                                  • 15.204.22.185
                                                                                                  MICROSOFT-CORP-MSN-AS-BLOCKUShttp://accounts.aptia365.comGet hashmaliciousUnknownBrowse
                                                                                                  • 150.171.27.10
                                                                                                  https://thelearningexperience.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 13.107.246.60
                                                                                                  https://onedrive.live.com/view.aspx?resid=7AEF24C2ECCBD3A%21123&authkey=!ABehDrl0wDeSrDgGet hashmaliciousUnknownBrowse
                                                                                                  • 20.135.25.0
                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.246.60
                                                                                                  Keyser & Mackay.pdfGet hashmaliciousUnknownBrowse
                                                                                                  • 20.190.159.71
                                                                                                  Invoice for 04-09-24 fede39.admr.org.htmlGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.253.42
                                                                                                  _PDF__838754.msiGet hashmaliciousMetamorfoBrowse
                                                                                                  • 102.37.159.106
                                                                                                  file.exeGet hashmaliciousUnknownBrowse
                                                                                                  • 13.107.246.60
                                                                                                  http://link.dpd.pt/l/YCaldMErXuGet hashmaliciousUnknownBrowse
                                                                                                  • 20.93.211.47
                                                                                                  14995c3f-496f-5fa2-8b87-4fdbc38ec4be.emlGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                  • 20.189.173.10
                                                                                                  AMAZON-02UShttp://accounts.aptia365.comGet hashmaliciousUnknownBrowse
                                                                                                  • 52.27.112.63
                                                                                                  BrowserRecovery.exeGet hashmaliciousZTratBrowse
                                                                                                  • 3.132.159.158
                                                                                                  Dropper.batGet hashmaliciousLockBit ransomwareBrowse
                                                                                                  • 76.76.21.142
                                                                                                  https://ynjac.com/click?redirect=http%3A%2F%2Fwww.KineticAgency.com&dID=1724778304747&hashId=404941f7b6ec62dc57c0bc5f930858f35215fdf2f3368224f3526a5023c4bc3ded39&linkName=www.KineticAgency.comGet hashmaliciousUnknownBrowse
                                                                                                  • 18.239.69.26
                                                                                                  https://thelearningexperience.com/Get hashmaliciousUnknownBrowse
                                                                                                  • 3.164.206.12
                                                                                                  PDPUOIE76867 PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 13.248.169.48
                                                                                                  https://onedrive.live.com/view.aspx?resid=7AEF24C2ECCBD3A%21123&authkey=!ABehDrl0wDeSrDgGet hashmaliciousUnknownBrowse
                                                                                                  • 3.164.68.65
                                                                                                  Keyser & Mackay.pdfGet hashmaliciousUnknownBrowse
                                                                                                  • 18.239.69.21
                                                                                                  AUG 2024 SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                  • 54.67.87.110
                                                                                                  https://www.qrcreator.com/qr/1CFCF746Get hashmaliciousPhisherBrowse
                                                                                                  • 18.245.175.80

                                                                                                  JA3 Fingerprints

                                                                                                  No context

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  67ba7c.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):107520
                                                                                                  Entropy (8bit):5.61222820248956
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:+Tk1M9FgUVRP4ZCebOnhAKmMAhyAc00dX62Cbkmcg3vtTqlsobxF:p6gUXPe0nCKmMAt0dK2CbkKvtTqxF
                                                                                                  MD5:28D920237F64F246331725C1B2A29D1B
                                                                                                  SHA1:6CBBAEAB2AAF910F7397771C4E2B5BA7D5719C9F
                                                                                                  SHA-256:79F6FADF2E77652D0D7FCFE3D82E0F2382DC373DB0F2A1D7499D1EEC0BA514AA
                                                                                                  SHA-512:D89DC5C0DA0962B43FBBAE57D373C543C1023BFDBA59721E9DE22BE6225C6207742C6E80FB737CEBC1753C4AEC53218A04187F9FF2C78FB5F0C71D7BBFC65F32
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\o^.........."...0.................. ........@.. ....................................`.................................h...O.......,...........................0................................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H...........4...............p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~......9...s....%.....s.......o......o.....*...0..O........(...........~....r...po...........,..rG..ps ...z.rO..p.....(!....b.....o"....*..0...........~....r...po#..........,%.~....r...po...........,.rG..ps ...z..r

                                                                                                  67ba7d.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2050
                                                                                                  Entropy (8bit):5.046100598911167
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3frfdbK52nKS4YHJyILsJ+J4YHKJyIv47O7Rguo3XfsnMhmMx:vrf9K5kKS4Ypy6sJ+J4YqJy3qo/sMXx
                                                                                                  MD5:7FF0AC77806AED9588B143CD0FAB552B
                                                                                                  SHA1:184B62F2956B95FFE3DC98EBB31D7F45DBCA83FD
                                                                                                  SHA-256:730D85D5EF4F0939154278949C126A444ED859E7718BB175CA3153CA6ED9D142
                                                                                                  SHA-512:1856BDA8CC3D4161110CD75A7BE4939193ED408A95F9C41E22F4CC9F85B1294584F95796BCE207DD65D606FFB57760B3D2E1681EFBBB7759A19A9F70FB7EDAC8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. <add key="PubnubMessaging.LogLevel" value="0" /><add key="PubnubMessaging.PubnubErrorFilterLevel" value="3" /><add key="PubnubMessaging.LogMessageLengthLimit" value="0" /></appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="Syste

                                                                                                  67ba7e.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):200704
                                                                                                  Entropy (8bit):5.683688089372797
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
                                                                                                  MD5:C8164876B6F66616D68387443621510C
                                                                                                  SHA1:7A9DF9C25D49690B6A3C451607D311A866B131F4
                                                                                                  SHA-256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
                                                                                                  SHA-512:44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  67ba7f.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):475136
                                                                                                  Entropy (8bit):6.032338173466497
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:g+Idc1yb868v7OgHL1Rimqj9mWTEFxLL3Y1zIalvBFj7eP9yBherOyK:gTc139iUL1RimqdgFNYddBgyH
                                                                                                  MD5:83222120C8095B8623FE827FB70FAF6B
                                                                                                  SHA1:9294136B07C36FAB5523EF345FE05F03EA516B15
                                                                                                  SHA-256:EFF79DE319CA8941A2E62FB573230D82B79B80958E5A26AB1A4E87193EB13503
                                                                                                  SHA-512:3077E4EA7EBFD4D25B60B9727FBAB183827AAD5BA914E8CD3D9557FA3913FD82EFE2CD20B1A193D8C7E1B81EE44F04DADFCB8F18507977C78DD5C8B071F8ADDB
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3............" ..0..6..........vT... ...`....... ...............................E....@................................."T..O....`..d...........................TS..8............................................ ............... ..H............text...L5... ...6.................. ..`.rsrc...d....`.......8..............@..@.reloc...............>..............@..B................VT......H........ ..D2...................R........................................(....*..(....*..{....*"..}....*..(&...*:.(&.....}....*"..('...*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{*...*>..}*.....(....*..{+...*>..}+.....(....*..{%...*"..}%...*..0...........{&......(....-..*..(....*6..s....}&...*.0...........{'......(....-..*..(....*6..s....}'...*.0...........{(......(....-..*..(....*6..s....}(...*.0...........{)......(....-.

                                                                                                  67ba80.rbf (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):171520
                                                                                                  Entropy (8bit):5.638603609887119
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:mDmFGFDi7DBhxBFBhD9J79tDJNFUK2+6Kt1n4/GVi48CGtkfqLskm3BDaEQysVia:mVKOGV3PDaEQVVi2enxmH8ETz6b2A+
                                                                                                  MD5:E8458B60D4F251DE071B765287C5661E
                                                                                                  SHA1:B4A4D91483F658B79204EC4BE2C2012EFEFD5A63
                                                                                                  SHA-256:52C29826C96E35373F05FEFBD0F92AC9EC377CD65E8F58A945F3A86B41C3DDC6
                                                                                                  SHA-512:57B3B9CD3A47A6543E0E81A4606E7A90E4A459FE827C01EC6A21D1A64503FE6267079FA89E3120519079A1E9A0EB925F3B794D9B39F03D7EBA524393DC564BEA
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.X.........." ..0................. ........... ..............................~.....@.....................................O...................................L................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........-.............................................................~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....-.~....,..*.......s.......(...+~....*.~....*.......*...0..@.......s.......}......}......}......}..........+s.....(....&~....o....*.0...........u....%{.....%{.....%{.....{.....(.....Ps........o....o....tN...o........o....o........-.r...p+...o........o....r...p(........(......o......(....(....(......o........,...o...........(...+..~....o....*

                                                                                                  C:\Config.Msi\67ba72.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8521
                                                                                                  Entropy (8bit):5.62102790537804
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:SGr0jm+BGReSU5RUm3PZCsThqrUm3PZC6jNbY0+ThquHle552oWW3IcCmpljNF/q:S6eLKo8IBo8kyQmoWmpLFy
                                                                                                  MD5:7BC0BA7D2183F9A45747C045520C796E
                                                                                                  SHA1:FC3D2A378A278B8004CCD4C347C5BA6CC95724BD
                                                                                                  SHA-256:57F85BBCF70CF7CB3D4EF7039D69521D3E61EF869669CA2596B9675D31CECCAB
                                                                                                  SHA-512:0B5256B1197A7F81B5FA7792D3D28ABC78825A1AF0142A05B60D936DE3922952C6C907AACFCD8DF663B4A5AD98C99FF31F705B44A8D9ECEF9998BA1EEA978D65
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\67ba72.rbs, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.D$Y.@.....@.....@.....@.....@.....@......&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}..AteraAgent8.SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi.@.....@.....@.....@........&.{352F53AF-93CF-49B0-A97C-42FE183A477F}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraService....KillAteraTask....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}.@......&.{3D32A227-FAAA-4602-881B-0CBCD9090F12}&.{A42BE663-C45C-40E4-A3D1-0A14

                                                                                                  C:\Config.Msi\67ba76.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):168350
                                                                                                  Entropy (8bit):6.507547399484773
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:s02O+ENIIWM+lKek17yd2X+VLnOkyqEWb:sJE6If/ek17e28d
                                                                                                  MD5:3CDCFDA0D37DC675F840F7CB234FABB8
                                                                                                  SHA1:7B6CD7A55D2F8574E03DF336260F3E69A186A0EA
                                                                                                  SHA-256:9FF82D7C3EF7DDE5D04BF50FFD812AFFFDE4FFD10FA2BA305C5C22EC6EE01BA2
                                                                                                  SHA-512:61FD456D88658E8AAA1BF503EA28D6D06A8A4F4C1F3D88621FC41E9F3022D9341C0DC25D11E99CDB15003D83A8FD2FFA6DFFED7207EA804593F56C0528939FCA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.E$Y.@.....@.....@.....@.....@.....@......&.{96B92DFA-81A3-4790-BDF9-3D28564F56E6}..AnyDesk Custom Client..AnyDesk-CM.msi.@.....@.....@.....@......AnyDesk.ico..&.{628CD9B4-A962-4498-B76B-D464D49A354A}.....@.....@.....@.....@.......@.....@.....@.......@......AnyDesk Custom Client......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{9EA3C554-32AD-5C8C-BF7A-E4507A06D537}&.{96B92DFA-81A3-4790-BDF9-3D28564F56E6}.@......&.{6F8FD6FB-3EBA-5393-8B6B-42068095D099}&.{96B92DFA-81A3-4790-BDF9-3D28564F56E6}.@......&.{082057A4-D7E9-5192-980F-6C66827AAE0D}&.{96B92DFA-81A3-4790-BDF9-3D28564F56E6}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..,.C:\Program Files (x86)\AnyDesk-f45e5af2_msi\....D.C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe....CreateShortcuts..Creating shortcuts..Shortcut: [1]....G.C:\Windows\Installer\{96B92DFA-81A3-47

                                                                                                  C:\Config.Msi\67ba7b.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8815
                                                                                                  Entropy (8bit):5.5283453107461185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:0GrKTyJ0y8REcxul8R7cCjNRMaY0c0/uz/N+Y/BjNRDHUttx5rMEivAiE:0JREcHR7cMgF+YnJauEiU
                                                                                                  MD5:68B935C6072D2ED35A3CAFCB79CA1F0D
                                                                                                  SHA1:6248B9E6D24DAFD9C31F8C3F69D49F3F8C6CFF0F
                                                                                                  SHA-256:2E932973864A7E7CEF22E2FE1AA948C9A340D7B2401BE5CD87F40091802241F5
                                                                                                  SHA-512:DEE1717A0693DCBAB3D4CE90AA8A3A8B96623A058C3071B73A744014B3B45B64C64C50C3BCFB88093BF48DFF0E27DAC12724DF6EF8783EF74475E4FDE1AAFB5C
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\67ba7b.rbs, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.E$Y.@.....@.....@.....@.....@.....@......&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}..AteraAgent8.SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi.@.....@.....@.....@........&.{352F53AF-93CF-49B0-A97C-42FE183A477F}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\366EB24AC54C4E043A1DA041CEF0BE22\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\67ba73.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\366EB24AC54C4E043A1DA041CEF0BE22\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...D

                                                                                                  C:\Config.Msi\67ba81.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8407
                                                                                                  Entropy (8bit):5.6183074986239765
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:lmoGl1fY6fC2fkf8f6ef0cReaSHRUV137PZCsTlnsUV137PZC6jNxau+TlnSQI5o:oZjBHKiXnefKv8Ihv8ko+UoVmpLvh
                                                                                                  MD5:8EC618F7C569AFAB806CA42A7E503CF3
                                                                                                  SHA1:03E2179F3E30ADC1DFF2C658C5014B2D8F424053
                                                                                                  SHA-256:0BA56421E3BBEA35582A3B7ABA8D841B91E5119753D2C0F0EECEC28E2D627A48
                                                                                                  SHA-512:9251D2CDF6EBEAEBBFF8ECD593020A237167454711F7DA188E7E1DA4CB667F7C52B4ACDD99B7F1752FF3C2CA0BF72A9D4EC7EB7AC0E185F11DFDAC7603A770CD
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\67ba81.rbs, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.E$Y.@.....@.....@.....@.....@.....@......&.{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}..AteraAgent..ateraAgentSetup64_1_8_0_4.msi.@.....@.....@.....@........&.{2D689290-A367-4547-AD1E-5C025376FB63}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraService....KillAteraTask....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}.@......&.{3D32A227-FAAA-4602-881B-0CBCD9090F12}&.{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}.@........RemoveRe

                                                                                                  C:\Config.Msi\67ba85.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):57458
                                                                                                  Entropy (8bit):5.860709603720623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:/g8kxUr9O4QafETLKEpMzsMxlNPF73hXqiRuT2oKUG5aE/We6pEFfEojISLQTpfI:NQSD
                                                                                                  MD5:3DBFD32458469FB860654330B328FD71
                                                                                                  SHA1:7A9BF6BE90F1A88A07C987DCE8B6BC06D1667C60
                                                                                                  SHA-256:E58236F20D6D55C47EB1809639AF2267E17061FFD14D884856C87A218654B56E
                                                                                                  SHA-512:6278B499D196CA8E1A9B9F02457DDD0D5F878581AEE197EEF897F91CA5A7C231D01D17CA04567F3C2C96BB957FD973481383FBCFA7C9E3B901344EC4C1EBC6C7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@$E$Y.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3B053811-15BE-513E-9DEC-B2B5C4918267}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{12C6BE75-4A6B-5D0E-8906-981484BEDEFB}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{5B8B7A30-DD32-5F3F-BF38-4CDA80FF7B58}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{2D57BD37-A665-5E90-A9D0-150D1AE6247E}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{6F6135D1-D37B-59EE-915A-2CCBA1F18027}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}.@......&.{07C0B213-96A0-54A8-8375-7897382BD558}&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216A

                                                                                                  C:\Config.Msi\67ba89.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9062
                                                                                                  Entropy (8bit):5.599194930399164
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:smbnPKC5jc2KeU3t35rUmeD2+PZCsTlYUmeD2+PZC6jcS3Y30YlTlWYhIKE5357m:pjKiY/eKYj8IFj8t/EjANmWph
                                                                                                  MD5:69088A906125E94F79387DE9222A9CD0
                                                                                                  SHA1:855D61A73283B6AA4C38658501E893206497AB3C
                                                                                                  SHA-256:955C7BBD56B44347ABC1419146BBF10CA68BD6FB7C09E83E1A512A31FE5216E3
                                                                                                  SHA-512:AB4A78001989C52FFD519A998D5A99D4C7F5B4CE6C0294222651352CDE2F0144A7A25BD3B186150FFF0CB866459326AFEF7439922598137B49164D33DAC25C76
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@(E$Y.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{E116E585-E2CE-5BAC-A645-7047860785B2}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@......&.{0AC899A6-3CC6-559F-9577-67925851F466}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}.@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]..(.C:\Program Files\dotnet\host\fxr\6.0.32\....3.C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll....WriteRegistryValues..Writing system registry values..Key:

                                                                                                  C:\Config.Msi\67ba8c.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3870
                                                                                                  Entropy (8bit):5.087446850685311
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:vmbnJe430tTlW730s/lTlWs/gW3Ai3IpVx8y:O1eNE6T
                                                                                                  MD5:C91E481C366B863C75C1A2E2FB76BDAB
                                                                                                  SHA1:62C538C247B0891BF6895411718F5A453B48B4E6
                                                                                                  SHA-256:8CC909B0CBC1DF2211340E3B1B6BE07ABBF434405E1DDCFACC028A809A30AF4B
                                                                                                  SHA-512:B9C97D9629BDD4FFAF001C7C610437197E96D037ABC40CB9B2FCFFFE907E22F2DC5AA460AD2171C8B4DCDF15FF0C05B6EF6ACFFEFE36F35F39B66097DFE21B81
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@)E$Y.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....RegisterProduct..Registering product..[1]$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\356BC7661E07B2E4C9E8A6206AFC889B\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....$..@....3.Software\Microsoft\Windows\CurrentVersion\Uninstall.............................................. ...!................... ...!.......?........... ... ................... ... .......?.......................................?...........

                                                                                                  C:\Config.Msi\67ba8f.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):75963
                                                                                                  Entropy (8bit):5.733662944008429
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:fJXeqjCyEgH2bQzxW5wM/wt/JBQKwHhrRUL2l+Jq4599oefeIubJZrQ1vMF8EkdX:ySH
                                                                                                  MD5:79089128FAC1BC496D25B1289A981E85
                                                                                                  SHA1:6FEC4AB3B375D04FAD46979E939668029D1D9954
                                                                                                  SHA-256:B76CCDE18418A8A908BA316A586F826C41575F82055253221CC624AC7E2E5C73
                                                                                                  SHA-512:15655A412D93D89E7CD78EAD941FD00861A1797A1F0F5AC91CF54FEBB2BE0B9524E4247B114C98E21F885A129C197F461DE8217174831020FA072FF1AAC1D3D5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.E$Y.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3D8827C3-3F73-4AD7-9420-7CA93653C8F2}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{61B538AB-B209-C01B-F95C-B0A0531054D2}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{3742F778-8BAC-9729-A5BE-712DA9BEB95A}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{ADBB7064-411F-E593-D901-EACB3BA8154E}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{06653204-4010-8C69-AD0A-982273468010}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{76FB8673-364C-25A7-DEC2-3C43D0343A02}&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}.@......&.{944490A2-222A-67EA-5532-3CEF12

                                                                                                  C:\Config.Msi\67ba91.rbs

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):427
                                                                                                  Entropy (8bit):5.270627327049036
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Ea3LMFZle/YeVugrUucQBak5cQvpL7lgYKq9uSgmll/Vnpm/nsuRYaRsjXwpoh7D:EgoOBjUcBZ97lghq5j//a/fNl+1
                                                                                                  MD5:5EC6AE8B8AAAB6A520A052EF0F4E3A34
                                                                                                  SHA1:904CDFEAFB49246E94B60BBE1CE0E48AD49AB88F
                                                                                                  SHA-256:C47135866A7C829CACB2638411EE4B088BCAAF8EB28F016EAA58ED846C0AB07A
                                                                                                  SHA-512:2603528252F549C61E26A7986085E1E81DC6D002693EC148F98F5F104B38D90A5CFEAA36EB25AD40FA120EF5DEBF4B2531DF51C599E242A9C125F8C64C84C64A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@5E$Y.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....Util_UpdateSetting....Util_InstSrvAndDrv

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):753
                                                                                                  Entropy (8bit):4.853078320826549
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                  MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                  SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                  SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                  SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7466
                                                                                                  Entropy (8bit):5.1606801095705865
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                  MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                  SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                  SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                  SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):107520
                                                                                                  Entropy (8bit):5.61222820248956
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:+Tk1M9FgUVRP4ZCebOnhAKmMAhyAc00dX62Cbkmcg3vtTqlsobxF:p6gUXPe0nCKmMAt0dK2CbkKvtTqxF
                                                                                                  MD5:28D920237F64F246331725C1B2A29D1B
                                                                                                  SHA1:6CBBAEAB2AAF910F7397771C4E2B5BA7D5719C9F
                                                                                                  SHA-256:79F6FADF2E77652D0D7FCFE3D82E0F2382DC373DB0F2A1D7499D1EEC0BA514AA
                                                                                                  SHA-512:D89DC5C0DA0962B43FBBAE57D373C543C1023BFDBA59721E9DE22BE6225C6207742C6E80FB737CEBC1753C4AEC53218A04187F9FF2C78FB5F0C71D7BBFC65F32
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 5%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\o^.........."...0.................. ........@.. ....................................`.................................h...O.......,...........................0................................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H...........4...............p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~......9...s....%.....s.......o......o.....*...0..O........(...........~....r...po...........,..rG..ps ...z.rO..p.....(!....b.....o"....*..0...........~....r...po#..........,%.~....r...po...........,.rG..ps ...z..r

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2050
                                                                                                  Entropy (8bit):5.046100598911167
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3frfdbK52nKS4YHJyILsJ+J4YHKJyIv47O7Rguo3XfsnMhmMx:vrf9K5kKS4Ypy6sJ+J4YqJy3qo/sMXx
                                                                                                  MD5:7FF0AC77806AED9588B143CD0FAB552B
                                                                                                  SHA1:184B62F2956B95FFE3DC98EBB31D7F45DBCA83FD
                                                                                                  SHA-256:730D85D5EF4F0939154278949C126A444ED859E7718BB175CA3153CA6ED9D142
                                                                                                  SHA-512:1856BDA8CC3D4161110CD75A7BE4939193ED408A95F9C41E22F4CC9F85B1294584F95796BCE207DD65D606FFB57760B3D2E1681EFBBB7759A19A9F70FB7EDAC8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. <add key="PubnubMessaging.LogLevel" value="0" /><add key="PubnubMessaging.PubnubErrorFilterLevel" value="3" /><add key="PubnubMessaging.LogMessageLengthLimit" value="0" /></appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="Syste

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):200704
                                                                                                  Entropy (8bit):5.683688089372797
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
                                                                                                  MD5:C8164876B6F66616D68387443621510C
                                                                                                  SHA1:7A9DF9C25D49690B6A3C451607D311A866B131F4
                                                                                                  SHA-256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
                                                                                                  SHA-512:44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):475136
                                                                                                  Entropy (8bit):6.032338173466497
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:g+Idc1yb868v7OgHL1Rimqj9mWTEFxLL3Y1zIalvBFj7eP9yBherOyK:gTc139iUL1RimqdgFNYddBgyH
                                                                                                  MD5:83222120C8095B8623FE827FB70FAF6B
                                                                                                  SHA1:9294136B07C36FAB5523EF345FE05F03EA516B15
                                                                                                  SHA-256:EFF79DE319CA8941A2E62FB573230D82B79B80958E5A26AB1A4E87193EB13503
                                                                                                  SHA-512:3077E4EA7EBFD4D25B60B9727FBAB183827AAD5BA914E8CD3D9557FA3913FD82EFE2CD20B1A193D8C7E1B81EE44F04DADFCB8F18507977C78DD5C8B071F8ADDB
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3............" ..0..6..........vT... ...`....... ...............................E....@................................."T..O....`..d...........................TS..8............................................ ............... ..H............text...L5... ...6.................. ..`.rsrc...d....`.......8..............@..@.reloc...............>..............@..B................VT......H........ ..D2...................R........................................(....*..(....*..{....*"..}....*..(&...*:.(&.....}....*"..('...*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{*...*>..}*.....(....*..{+...*>..}+.....(....*..{%...*"..}%...*..0...........{&......(....-..*..(....*6..s....}&...*.0...........{'......(....-..*..(....*6..s....}'...*.0...........{(......(....-..*..(....*6..s....}(...*.0...........{)......(....-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1345342
                                                                                                  Entropy (8bit):7.999087415296336
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:P6qarBXIu143emJM2e03hHsPi7+QfGIjn5xgFxNybKJvTDSJSH:cVI81mOZ8tsu+MjnrAsimY
                                                                                                  MD5:F2E653E517216BAE6EE1866E56C93541
                                                                                                  SHA1:C9CFE52AEA1FC5026437162E5CD6EC5AFDDCDB23
                                                                                                  SHA-256:1A76544543CA4CCDD3981F517E93E316EF3EEFA677ABBDDB19AC94B9AD8EC613
                                                                                                  SHA-512:7AC34473A4B50991344DE76186B249DA8753FE01C4F1C344CF17136D157A8847A34047D1E492BB74F9B877DDDE155D6E503067FEF2DCCED6F7795B5EDEB97DDD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK.........:rX................Agent.Package.Availability/PK.........:rXO......L...?...Agent.Package.Availability/Agent.Package.Availability.deps.jsons........&|+.[a....k...F.?.y.ef........N..|..D.....I..;4.p...Q....yQ...v.H..2..BK.<:c...%.u....P6..... .".Lhh.~.. ..,.$OGI.37.P...7.o..4.t?......\.h...i.L..........._.k-JAw..{..<.;1V..bm.....|.q...2...g...Oi..a..Z....Q..&G.........dM......H.^......Gx\n1k....D.^..DA..5.Ou.e@.h.|.g...).}.._J.g.S...z...F..F.'..R..7}!]C.l.n6.O>-...w0.c...`7&P....VY.N.....%.2.....w.,".t4..Yi..<".M..dG.'.5.f/.f.c.uG.xDlo.%..A.....bD3b.dix..O...re.J.}....FO..jE..T.....H.......t.W...N.`..@.K. 7..-4.#..!...%;t*...aM.,2.a...(.Z..E#...g.op.3.p-*"......mh..-h..k|#. M..S)}.).V.Ze.z.8.ku..)u4...Ch.2.D...x.6...~|........|I.8|...S..h.w.N.9..f.i0.R-....Y...q..;3.. J+..N>.....7>....e.R.6'...Q.Mf.?....+w.....Yu..r...L..].H.....N...H...~=Fj....5.....B.D.B..K....<.q.<c...D..j..U.....<..M.....M.Ns..]5.]......W...?J.Z..R.N..."L5.%|hU..n.}..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.deps.json

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32588
                                                                                                  Entropy (8bit):4.9960910032419115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:YMiXbLuNFLgxnzeynrL390PbFM1Orsc+eQjBy6qY2871Yu9IM8yzI:YHX+CRN0PbG1Orsc7QqYR71YyIM8II
                                                                                                  MD5:30FD970122DC4F600AB043C1F2EAA9DF
                                                                                                  SHA1:73ECB0343F13193E1647169994E856B85B3E8A80
                                                                                                  SHA-256:B9AEC2BF04C19AEDE9F089947337F4A72F4D9D9107499D06489220B78965945A
                                                                                                  SHA-512:070C5B9976289C7EF84D01BCEC81E87B538F0251048FDEAD99EB8CBFC4CCE5AE9F3072D0F5AD79B1BB49CF3C78858581627636035772F875B132044FCBAEA0E3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Availability/0.16": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.0.0",.. "MQTTnet": "4.1.2.350",.. "MQTTnet.Extensions.ManagedClient": "4.1.2.350".. },.. "runtime": {.. "Agent.Package.Availability.dll": {}.. }.. },.. "Microsoft.Extensions.Configuration/6.0.0": {.. "dependencies": {.. "Microsoft.Extensions.Configuration.Abstractions": "6.0.0",.. "Microsoft.Extensions.Primitives": "6.0.0".. },.. "runtime": {.. "lib/netstandard2.0/Microsoft.Extensions.Configuration.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.21.52210".. }.. }.. },.. "Microsoft.Extensions.Configuration.Abstractions/6.0.0": {..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64080
                                                                                                  Entropy (8bit):6.320286768676932
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:9pU+qNEN8hGUdlhkjqMCgoGIxBNPlaWxk4TKZ08gDT7iC6gW3GIXtHEje4bEpYin:DU+CkuMChNPlakNcgD8ge1+JU7Hxz1
                                                                                                  MD5:E863A6AB8AA66CDFDB72085FF29C8945
                                                                                                  SHA1:3018DAFFFA623BC8404E1D0AE990B3B58E502455
                                                                                                  SHA-256:8168DF0CFF719BB10F2A03EC220788C931DA3E5EFA02030011AFF5B48F888D36
                                                                                                  SHA-512:62C0623C9E2BD66A3C1469BE3D2B7D36CB52364181D38400A6F27EE0600DA98DE921F49EBCDC2EB6A49D2CC0C2FFE4287D7587020162DEBDD54209CC89108350
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....z..........."...0.................. ........@.. .......................@............`.....................................O.......................P(... ......d................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......8^...z..........L.................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..7.........(....}A......}B......}@.....|A.....(...+..|A...(....*..(....*..0...........(....o.......(....*..(......}......o....r...p(....}....*....0..7.........(....}W......}X......}V.....|W.....(...+..|W...(....*..0..?.........(....}\......}]......}^......}[.....|\.....(...+..|\...( ...*..0..7.........(!...}b......}c......}a.....|b.....(..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):160336
                                                                                                  Entropy (8bit):6.2128348726246605
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:6czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGO0kLxD:6A4NCmBPry/N2jOO7r
                                                                                                  MD5:EEB8806784553B29F5E8CE3F3566C452
                                                                                                  SHA1:588702EDD2CAE4FB11558E967BA88F1D4AA0B92E
                                                                                                  SHA-256:AA2322E40481D38DF9976C34A564932262EE08E72FD76465ADBCC04545BEEB8F
                                                                                                  SHA-512:88378E2190D813E788121DB814AC9B49FF12E489780CF46CDA770794D3EDF64075E1C73F2C1EFD29265EE71FDCB13A06A0DE0C29747773636FD3DE28ADA6E2D1
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@....................................3.....`.................................................t$...............`..@....J..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14
                                                                                                  Entropy (8bit):3.8073549220576055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhVLD:WDLD
                                                                                                  MD5:9A7D20AAA012D185DB528C72378B0ACB
                                                                                                  SHA1:CD17C5DDB04E5CBAEBA56BB883B2BD0BF8C529DE
                                                                                                  SHA-256:CBA7D06C662A6601164CBC5A0F4086E247DC1ACA7CCF2F72F4443C88DDB29095
                                                                                                  SHA-512:961707F9926401EED9FDF892484527D253514F336B2AEF0A450184EE125DB940823E933739ABED422BC97B37E4094EFB3C9C355154F86984EB36508ED28BEE90
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=0.16..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.runtimeconfig.json

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):253
                                                                                                  Entropy (8bit):4.585549446641918
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                  MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                  SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                  SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                  SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59472
                                                                                                  Entropy (8bit):6.232150161817101
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:W36VpFishtGAb2BAst2t1z2C0qePts2+lpmjouk3KmGT1S3k7ZJSEpYinAMxCcOO:rFan4tkC0qH2ip2ouXm21oGJz7HxnOO
                                                                                                  MD5:2E0FAEE04F8632291F811074ADD4C253
                                                                                                  SHA1:0BAE9ACC374F92683691B335325A88FFA3B4109A
                                                                                                  SHA-256:2CEB68FE0E177998268E78FCB45065A2B53ED4E8E74F751B6AA993CC2AEACDE5
                                                                                                  SHA-512:A312A2B8689202032DDDF5240EF5092977F47BCCF19D0D1568D392EBD51040989453FFF1DB8B7F637E672843E701DD88BEFD80158F3209C089BC08670B7B8B2E
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Atera.Agent.Package.Infrastructure.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.%..........." ..0.............Z.... ........... ....................... .......b....`.....................................O.......t...............P(........................................................... ............... ..H............text...`.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................<.......H.......4P................................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{"...*:.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.Extensions.ManagedClient.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):54352
                                                                                                  Entropy (8bit):6.249382958975322
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:yjPkdaG23BdHAnoekKhbdzn9kpWcwfRLzfoZrx6nnPMfm8XoJE5GtSdhEpYinAM8:IPGShI7mW1ZoZrcn0e0oJ4GtuK7Hxe
                                                                                                  MD5:59E6366CBB001376D03B59886F8CC984
                                                                                                  SHA1:A9B93839F4960D0E8CFAAEE15439083615AC14AC
                                                                                                  SHA-256:902725DBF9F7950D1A4A4F0057CAE5E14816F0ED686BF2422C03561AB13DA870
                                                                                                  SHA-512:DC77203DCF26337FA34094F1C954128ECC3C9C72F0F53B46598F6272012749A523AE38C5EE6D55376084568C2D97FB07104EA1D703318231517924FC7BD095D9
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\............" ..0.............V.... ........... ....................... ............`.....................................O.......x...............P(..............T............................................ ............... ..H............text...\.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................6.......H........Z...c............................................................(....*^.(.......V...%...}....*:.(......}....*:.(......}....*..(......%-.&r...ps....z}......}....*..{....*..{....*v.(......%-.&r...ps....z}....*..{....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*J.(....}.....(....*&..}.....*&..}.....*.0..)........-.r'..ps....zs.......o......o....}.....*..{....-.r7..ps....zs/...%.{....o,...%.{....o....*J.(....}.....(....*...0...........s....}.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\MQTTnet.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):311888
                                                                                                  Entropy (8bit):6.173014844115743
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:+F0eAyIQXbKwPMF83GUN/7a3zyROhmogpE2/M3jw:+8QLKwPMKGUuBhh33jw
                                                                                                  MD5:6B314E447AD16EF4B8CBAA6CFF589F74
                                                                                                  SHA1:86647A26123AED74F2222E95C310C6186B03908E
                                                                                                  SHA-256:065EAB6C73BD96467BBC02FC3763DA01C7FB7065368C15E93192EA2F71975BE7
                                                                                                  SHA-512:131591A60F8C6251465F8BD103ABD499EDCE850BEE97AFB58A37B2ACFFACFEFDC93EB0EDBBF426220B9C9CAAE0A6212AAD5665A70F913FB96751CBB234A718D4
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................f.....`....................................O.......................P(..............T............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..0...........{....-..{....(....,.r...ps....zs....%.{....o....%.{....o....%.{....o....%.{....o....%.{....o....%.{....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26192
                                                                                                  Entropy (8bit):6.56959956590535
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vm++Js0qJ63NU17qtlR9iaTG/0wEzRjz6sMHJhOnAWM/aWsrNWUNyb8E9VF6IYiD:+lso3W7qHypd//SHEpYinAMxCsB
                                                                                                  MD5:568B70E6ACC43FA5D6D1B748323B7100
                                                                                                  SHA1:33C1E279743914ECAAD4BF3F3581D1914260C8F9
                                                                                                  SHA-256:1951AC489A3A924874B67DA82E7DB6C0F4BC599E3C38A8E6EDE0A5C33DD45391
                                                                                                  SHA-512:EAAB9BA61D0ED958C6D1A4DF0E95CE5AE2FFCD6A6E6C9FAE5522902FB72586EE16EEF397D94B3625B820113976ABC8F7DABFB55999B8802988D9B20201BC5C66
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........Q... ...`....... ..............................t.....`................................./Q..O....`...............>..P(...........P..T............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............<..............@..B................cQ......H.......X'...#.......... K..p....O.......................................~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(....,.r...p......%...%...%...("...*....()...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34896
                                                                                                  Entropy (8bit):6.492292235898413
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:IRnQyuN61yKW1Guh2dIewN3czA8i1KraoAEpYinAMxCU6:IdgA1yKW1L0dkNc081+oJ7Hxw
                                                                                                  MD5:7AEC82F5B955AB320971CF18B13D63E1
                                                                                                  SHA1:C7BDA552D6C44FF7F5546AF6BAEAF0DAB0A6C278
                                                                                                  SHA-256:6D46A7EC7CC3DF3663B359F54F0F7B9B47EFED4AEF728C6DE117091F3838AB9B
                                                                                                  SHA-512:622E1E8373AC5641D0B6C77FF80A422D4A18EED790BBBE675C48A970318736862EFDBE28829A53AA631F8D387A10D14EC86FF748D4F33183CF6D331C47CAC426
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........." ..0..V...........u... ........... ....................................`..................................u..O....................`..P(...........t..T............................................ ............... ..H............text....U... ...V.................. ..`.rsrc................X..............@..@.reloc...............^..............@..B.................u......H.......p/...9..........Hi.......t........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...( ...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24144
                                                                                                  Entropy (8bit):6.681463392080136
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:T9FrztnCvZrlMIPTlLn9by3WKbW97nW2Nyb8E9VF6IYinAM+oCut8X7De7uA:Tbztn2AmxniKnEpYinAMxCZeX
                                                                                                  MD5:63CC618B9FEC8C9503DE8EDB5B7FE6EE
                                                                                                  SHA1:C994A8DFD89F5C4329744A589D35AF40B610F6B9
                                                                                                  SHA-256:5C5D3B9FAA3E3D3310BEC715473C58D490FD285344B95A381A7F46E19216FE66
                                                                                                  SHA-512:96C4F352951320309EC880F3C8BE6558633226DB577D51A22C7EE7B6EA2CF9960AF3B10D826F59DC80E14350BE684FE0836F1A31B19714C98475633BB3919D1C
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...K.$..........." ..0..,...........K... ...`....... ..............................pu....`.................................uK..O....`...............6..P(..........XJ..T............................................ ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B.................K......H........%...............B.......I........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19536
                                                                                                  Entropy (8bit):6.730982430474166
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:SsGu6f0Ux3STFWUQeWmNyb8E9VF6IYinAM+oC/tUlUK7:SsGuWRTuEpYinAMxCWlUU
                                                                                                  MD5:E82CC9FD71064E072AE181432720A909
                                                                                                  SHA1:22FBE31E07A80B1B8DB0B97A3978ACCBBDBB0455
                                                                                                  SHA-256:842D59E7D1116B4072B2A18667EA381E7D2E449F14CABD89DB495EC3B4E4BEB5
                                                                                                  SHA-512:682DE1D3AAD5E08A78F7B55524B47926BDF2C249ADA483341DCE021BF1C21EF9EC1BD67BEC24230823253ED51251D5F20FA388E055B88CB5BF35275BAABB36B9
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3Y..........." ..0.............~8... ...@....... ....................................`.................................+8..O....@...............$..P(...`.......6..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................_8......H........"......................|6......................................:.s....o....&.*V.s....%.o....o....&.*"..(...+*J.(.....~....}....*^.(......%-.&~....}....*2.(....(....*..(....o....r...p.{....r...p(....*.0../.......(....s......o.....8.....o.......(....t ........r...p.o ...,.r...p..r7..p..+n.re..p.o ...,.re..p..r...p..+P.r...p.o ...,.r...p..r...p..+2.r...p.o ...,.r...p..+....(......(!...t ...(....+N...o"...o#...(.......r...p.($.....(!...t ...(......,...r...p.r...p(%.....(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27216
                                                                                                  Entropy (8bit):6.556776563317454
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6Y5JfZB7plLDwLx0umTZXA/XABRfhzWqr6WpNyb8E9VF6IYinAM+oCeB8euvQ7:/rd8Y0wRhzpEpYinAMxCeXL
                                                                                                  MD5:F52ACA731FD999D93962B96D86E6B4FA
                                                                                                  SHA1:BE07B77866379A49FED237471F232CBE348A1BA1
                                                                                                  SHA-256:924B4D2E997C16CE54101D05E8E7298F3D0D0FC9611957CEB5738C7224909DCC
                                                                                                  SHA-512:A5EDE09FAE3ABE0FE68F7D04BFC3A382FD0875BD87F4B80465DDB8C0645E4B9AA9FE6DAC5BE18B1F1E5CA32869E00E481103AD4A308AAE2208F857C90D0F4ACC
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<d..........." ..0..8...........V... ...`....... ..............................S.....`.................................?V..O....`...............B..P(...........U..T............................................ ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................sV......H.......P(...&..........lN..0....T........................................(....*^.(.......,...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26704
                                                                                                  Entropy (8bit):6.562781030074369
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:yI2/cK/FWwbGXC8e1lje1l6RWkb2W+Nyb8E9VF6IYinAM+oCE1sD:yI2/cqFWwSl6hXuEpYinAMxCrD
                                                                                                  MD5:63072DC72E16744763AB647135C09C60
                                                                                                  SHA1:7241FA172D6B5F06AE99FA4112EF981010489797
                                                                                                  SHA-256:5DA668B31F3E78DBCB3FA2D261694944DE451C757D62AD57173EF7B1637DA7D8
                                                                                                  SHA-512:076906EC35DF1550467E4B2B7070D87F2EE84605D595699E9BC0376681A5637BBB9EC1B1A0933419EDC81F807637767D68ACD1ECAFF0EAAFCADE425DCDD0D762
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....^............" ..0..6...........T... ...`....... ....................................`................................./T..O....`..l............@..P(.......... S..T............................................ ............... ..H............text....4... ...6.................. ..`.rsrc...l....`.......8..............@..@.reloc...............>..............@..B................cT......H.......|'..t#...........J.......R........................................(....*^.(.......6...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..( ...*.*.(....,.r...p......%...%...(....*...(!...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25680
                                                                                                  Entropy (8bit):6.5096189037099315
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:sw6kebL1iFn6d6E1oE1LdAAW9ACWHNyb8E9VF6IYinAM+oCvcTE920l:AZbcWus/EpYinAMxCgc
                                                                                                  MD5:19DAA869DFDD8A67F4F7EEE1C955C7D1
                                                                                                  SHA1:3BA0358E9619ED1686A73E8955EBE0C4A61D6EDD
                                                                                                  SHA-256:F2AB144E0B9DA3689BC1AFE5AFD8721BBB523EC01C1299176FB5EB11A4B9FCBA
                                                                                                  SHA-512:0F42E9AF420A8E0A7547E7D172B4E0238698FFEBF65494F1C4C241E90CEEF53F7238A7423A216B8A86366EF16050B5836FDAEC63570BA468BE1CE5973C27DDB5
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Z..........." ..0..2..........6P... ...`....... ....................................`..................................O..O....`...............<..P(...........N..T............................................ ............... ..H............text...<0... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................P......H.......x%..d............C..h...DN........................................(....*^.(.......!...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):37456
                                                                                                  Entropy (8bit):6.451863278895808
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:gi4PV4eWxaVsQLqyCekI/q/xGljjEpYinAMxCkmg:gaVxa2QXUxajc7Hxpj
                                                                                                  MD5:A2B120986B4BB34F8BFA9ACF877A6581
                                                                                                  SHA1:3E759CE7F93835E8EF7E5F5685A64BBC77FE69A4
                                                                                                  SHA-256:DB4B3ECF1812E0BAF0326A94553049FE9DD613613FF344331A8C4A5BF6D062D8
                                                                                                  SHA-512:74C787EE77B34159ABC3FFD2CFE75B6855D03415F2E7334F5FD5BF20436B6BF10A65F9BB97143B631E3A56EAFD79D214489B3C393D48321E53DE88518CFF070A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..`............... ........... ....................................`..................................~..O....................j..P(...........}..T............................................ ............... ..H............text... _... ...`.................. ..`.rsrc................b..............@..@.reloc...............h..............@..B.................~......H.......@6..p@...........v......@}........................................(....*^.(.......8...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):44624
                                                                                                  Entropy (8bit):6.263023686004545
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:X8+cxuPn//hpz2XCkCkCdvAb4b4qox06OoV0F8l0HCTpw0wo0emqEpYinAMxCm5w:M+cxuPn/bvvE0Q0HCNfBsL7HxLG
                                                                                                  MD5:8F23259BF8157AA26FE2BB5697CDE18F
                                                                                                  SHA1:14E9EA552451E4EA72D77D124FE1330D6F352E26
                                                                                                  SHA-256:836863E3C12887EF2BED748EA63903C47DB9D42FDDAB607CD0BA47981A2F7FD8
                                                                                                  SHA-512:98FE8F297F1834DC09926E1B3E8AE37EAB8DF183F913453A81A779A10DB0FF93E4F3FE895206C857E15A62882C7EC32121D27A33CA3413B645E9E70A3A3F263E
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9t............" ..0..z............... ........... ....................................`.....................................O.......................P(..............T............................................ ............... ..H............text....z... ...z.................. ..`.rsrc................|..............@..@.reloc..............................@..B.......................H........>...M..............H.............................................(....*^.(.......B...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......( ...-..,..*.*.(....,.r...p......%...%...(!...*..("...*.(....,.r...p......%...%...%...(!...*...(#...*.(....,!r...p......%...%...%...%...(!...*....($...*..,&(....,..r...pr...p.(!...(%...*..(&...*.*.(....,.r...p......%...%...(!...*...('...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):82512
                                                                                                  Entropy (8bit):6.280844319966934
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ENLmvi666OjIX0h9zMPvHBWCaRweUG4DynjEZnB87Hxk:K66fjLb8vH0CiUG4DyneB8S
                                                                                                  MD5:10D7DB14873F7D90062ED05370F74608
                                                                                                  SHA1:E57473D9CAF6417BEEE24AD59226F0DB6D9A2596
                                                                                                  SHA-256:5A6E417DFC3349517D74CB22B220B5EDCF5AA7CAFBF858FE21F49ED0C9FCBF8E
                                                                                                  SHA-512:D74EEB2A584D10E71582B1EA8CFF08C4968333CF620FE60AF61206375BD7CDC498104DEAA0082EFC47FE850D44FBED5031E3C69301CB3C41D3C70CA1805921AE
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5............" ..0.............N.... ...@....... ...................................`..................................-..O....@..................P(...`.......,..T............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................-.......H.......pj.............@...0...p,........................................(#...*^.(#......p...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*.~....*.0..........(....,..*..(.....o$......&...*...................0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r...p......%...%...(&...*...(,...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22096
                                                                                                  Entropy (8bit):6.574986500526706
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5lfkJv/RYTWl6+MTxMufuMc8CWsbhWVNyb8E9VF6IYinAM+oCUUF:5lcJnRYTwIjJ6mEpYinAMxCd
                                                                                                  MD5:A2E5939939DEC7631230F0CED43CACAB
                                                                                                  SHA1:2946F6E44885EA041D307E6B535D21F4594487FC
                                                                                                  SHA-256:BA54C5630AE9E7994E5489C7DA9A80E4E3C9CC46921BA9EC9B3B625E35011FFB
                                                                                                  SHA-512:0A9130E542F4E127CA3BDD51D64EC75DB8793C66815CBB6FD17B5C8788594C0FD7EC7CD7730DAF84BA275A35DC95F9B56FE73A25189B4C538CDEB289696EA94E
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.."..........r@... ...`....... ....................................`..................................@..O....`..................P(...........?..T............................................ ............... ..H............text...x ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............,..............@..B................S@......H.......T#..............H:..@....>.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):43600
                                                                                                  Entropy (8bit):6.435989681911625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:uHxWCQ4MPJG3cOeeapdUgsWflN+Qu5cEpYinAMxCT:uHxW58re3pdUqN5u517HxA
                                                                                                  MD5:5B11E661BC8B53F6886776E6C0AF024E
                                                                                                  SHA1:644BCFAD4D5DE8ABB74A692DB728C6EB4EA5DCEB
                                                                                                  SHA-256:2F329F4B16D0F1DFA1CFF2DD699F6B28F30F45F61F6AF8B393CB7A13358B0E20
                                                                                                  SHA-512:EB3F13885303313697B347F330F102A8C6467A3AAC402FE0110993B4B7ABB3FC42387A50933E4B466CEA614C4B0434A9C94A04CB1229691F7E4AC87DCF4AA276
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....8..........." ..0..x............... ........... ....................................`.................................g...O.......p...............P(..........X...T............................................ ............... ..H............text....v... ...x.................. ..`.rsrc...p............z..............@..@.reloc..............................@..B........................H........:...P...........................................................(....*^.(.......O...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r...p......%...%...(....*...(%...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45136
                                                                                                  Entropy (8bit):6.356515470188593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:LlwMU3jMMSPNueKQWjRUILOK2Ksf/qSCgHgUsJJEpYinAMxC8:LuMUJqLWjRHFtsHqSCgHgUsJy7Hxj
                                                                                                  MD5:EE514D62931BB1B8D2F76597F4B5AAC2
                                                                                                  SHA1:F9052A124653BA28CE8ACB3DFF1DA7E261CEB92D
                                                                                                  SHA-256:6C0F0AA4A3772448A688AB8E086861DE8026E3D8A97EF4A8D513AA9E5535246C
                                                                                                  SHA-512:74CAA313BD77D88CB9EAA5E35E6388B32734E605DBB514130F1FCBE03FF4D7D1D7F9EE884F97975BAF2FE7D76072D9056116FA6BBB59C0786513354B589993EE
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?.:..........." ..0..~............... ........... ....................................`.....................................O.......H...............P(..............T............................................ ............... ..H............text....|... ...~.................. ..`.rsrc...H...........................@..@.reloc..............................@..B.......................H........C...O..........H.......8.........................................(....*^.(.......9...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("...*...((...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28752
                                                                                                  Entropy (8bit):6.5663544647348155
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:sfGp7YacaEaVNbG12flBF76euwMw0tXXVfFQkzsG9kni7QXRdQWibdWPNyb8E9Vv:owVNz9BF76ejMbmHXRQAEpYinAMxCxu
                                                                                                  MD5:451165A322F6BDFAB22D2640CFEBD88D
                                                                                                  SHA1:E0D874B7FC80611581E745AD721540A3A20C7E1D
                                                                                                  SHA-256:A982218CD6CEDB1DE7D4286C8B4E785F16A59AF06F780A88D250CFC41DA3B941
                                                                                                  SHA-512:227B4D98A758E13AE84453E7FE2B3970D95EE195192DC147B51316F73F5B6CFD68E629DA15A314AECA19084B3A9A080D7E6D4E6D3826D070F7081EA8E8BDC7F4
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+............" ..0..>...........]... ...`....... ...............................7....`..................................]..O....`..8............H..P(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc...8....`.......@..............@..@.reloc...............F..............@..B.................]......H.......p,.../...................\......................................:.(......}....*..{....*6.(...+(.....*:..(...+(.....*..{....*.0..J.......... ...%... ...(....}.......{....o....o....}.....{....o....,..{....*( ...*...0..?.........(!...}"......}#......}$......}!.....|".....(...+..|"...(#...*F.{....%-.&*($...*..(%...*~r...p.....r...p.....r)..p.....*~r...p.....r...p.....r)..p.....*v.(%.....%-.&r?..ps&...z}....*..{....*"..}....*..{....*"..}....*..{....*~rU..p.....ru..p.....r.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):56400
                                                                                                  Entropy (8bit):6.30490980453766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:uBu8CE7AFg+0ITvhADGmnnbaTfP63+R3u9q09ejEpYinAMxC881:ucfWA2+DjaD/nnba+3uwq09ec7HxS1
                                                                                                  MD5:6A78A125A2E3E232E5CA99DFC52F5BAB
                                                                                                  SHA1:B9926C0419472F8BCC5DD23532E29C1DA34EE17A
                                                                                                  SHA-256:DE00084D93DDC8DF65BF23D70DCE1F9DFAF4277C381EED19E9F96A18D1A77C57
                                                                                                  SHA-512:624873C03967886E4C6A628034B0ED7C7747CCFD32641194F4F5B8827D3555DC28590533B69D03F2597F218CD010E5D70B0CED024736B20ADDC68367346EF494
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ............`.................................=...O.......................P(..........L...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................q.......H........G..Tu..........................................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r...p......%...%...(....*...($...*.(....,.r...p......%...%...%...(....*....(%...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):63056
                                                                                                  Entropy (8bit):6.287321950681953
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:J+UfRQY8PGNWovMLJYBjtLgnuAAAAAknwd45FnrfMq1/yJuoiYblHJg6GOmDulEh:J+tY8PIiq51wcFnDMsno7jRma+7Hxd
                                                                                                  MD5:55EBC669459FCC49F58F96F9003B9ADB
                                                                                                  SHA1:B00BC54B8BB572A91E6B5449CA7E161244806895
                                                                                                  SHA-256:718EF8C135AEB2C5B248F433758441503CC3F42E70946666608AFF3AEE495DFA
                                                                                                  SHA-512:AF18059F3E3E4304FB877FDF2ED61D53D072BB2B3D8E1EBA0D4B74ACD04108063F7853054BBF97A93850821A543A57FEE02E0252C8AFD409335F916B56D0A2BE
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........N.................P...(.........................................(&...*^.(&......J...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*.0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27728
                                                                                                  Entropy (8bit):6.551086012985974
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Y/r0yw26S3QgV/UxNmsUspvnipmgNRLGc3WxsBU7RWBzNyb8E9VF6IYinAM+oCfX:8r0j26i92L6zBU7uEpYinAMxCP
                                                                                                  MD5:234B690507F9FAB8A2AE2DDED1357C17
                                                                                                  SHA1:27B4B381DDA5DB266AC6318B410BF25EA9F8A7F1
                                                                                                  SHA-256:7A4598E103896F4F5CDE4FE1C1A9F2D1535C26F8D1A4F97C9332EF3C40A439D1
                                                                                                  SHA-512:28362763CA8F620217DA4E9ABCE43CCEB0FE952B09AFFD240EF1B8327424FD09E255CEDAFBABF48D0D9691D81A5B07F3BF345947AB5567E41E8F47CE5ADDB9F0
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Dv2..........." ..0..:..........bX... ...`....... ..............................M.....`..................................X..O....`..L............D..P(...........V..T............................................ ............... ..H............text...h8... ...:.................. ..`.rsrc...L....`.......<..............@..@.reloc...............B..............@..B................AX......H........&..X+...........R..`...xV.......................................~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*...(....*.(....,.r...p......%...%...%...(....*....(....*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Console.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51280
                                                                                                  Entropy (8bit):6.367904513182944
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:fTGWFIlYoY5b3OxMZnndnnennnnnnRt3nV+JEtpzU+uujK2lBJqFsSjKcb7SEpYc:fiKIe9JyvSCG2l+NX7Hxheo
                                                                                                  MD5:D024BA9294E580CE20266BE92144CE21
                                                                                                  SHA1:C84A8789B37D8A086FD9750E92F870CC271DBBF2
                                                                                                  SHA-256:207592672324F9B89D88DAA01E18A9501FFDA351908FADFFA1D38FE779594524
                                                                                                  SHA-512:EECE0E3FDDE38170CA8F9B5E154224EA317314B97D8C87E3F501D50C3059F5CD39E0D45272279F523430206219D474E3F8AA4754B23489218DBE007E433DA3C6
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....D..........." ..0.................. ........... ....................................`.................................1...O.......L...............P(..........0...T............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B................e.......H........C..Hl..........H...h.............................................("...*^.("......X...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*.~....*.0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19024
                                                                                                  Entropy (8bit):6.636376636323213
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Ev+kBD/v7WJZVMWUBNyb8E9VF6IYinAM+oCCb4RC:EmMbuaEpYinAMxCGIC
                                                                                                  MD5:EC620107577C70EF9A35370ECDC7E48E
                                                                                                  SHA1:D5B1D31BE728865CD2BE805A99899CEBE9FB9543
                                                                                                  SHA-256:149785F6C1069C4AEEDC4B13730BEE3664EB714F44EEDCFA15D097FFACEA5548
                                                                                                  SHA-512:60391DAD37D27D105ED3DB4D8DD5F06BCF2EB69CB06D9026A8C2CF713884C4EF3A9E6C13A5B6669B834963055A5E18B43D94BC4DD10C781F0D4D5A860B4C5409
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+8p..........." ..0.............>4... ...@....... ....................................`..................................3..O....@..(............"..P(...`.......2..T............................................ ............... ..H............text...D.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`....... ..............@..B.................4......H.......d!......................d2......................................J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*.0..p.........(....-.*..-.r...ps....z.....o......(....,.*r...p.......(.......,..(....(......%-.&.+.o....( .......{....(....*"..(!...*..s....*.*..(....*.BSJB............v4.0.30319......l...D...#~..........#Strings....x...(...#US.........#GUID.......P...#Blob...........W..........3....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25168
                                                                                                  Entropy (8bit):6.602492244793594
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ZzTu6iOUdGgvklNpdOHhvVhZQVW27FW8Nyb8E9VF6IYinAM+oCC/Fi:ZziZOwklFYh4jEpYinAMxCd
                                                                                                  MD5:25085314DBB9591FB8E8069350D1DF4B
                                                                                                  SHA1:31C55CE68D4C2EB2BD7528B5FAA63330E9F7F10D
                                                                                                  SHA-256:4F3913937EC411FF2EBE7AFAF10A2B55F572A6F1763BB3B1320E93540176570B
                                                                                                  SHA-512:4EB7215BDB25D233A069B536A5A7129528F66978E9D2A76F2BFF8DFE9A08A8406B8D4F496E1B1AA0B19E15E4EE5DB308848723180D7081697ABDB1D542BFF0E5
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....dn..........." ..0..0...........N... ...`....... ..............................,.....`.................................GN..O....`..`............:..P(..........<M..T............................................ ............... ..H............text........ ...0.................. ..`.rsrc...`....`.......2..............@..@.reloc...............8..............@..B................{N......H........'..$%...................L........................................(....*^.(......./...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*"..(....*"..(....*"..(....*"..(....*"..(....*..-.r...ps....z.o....(...+(.....*..-.r...ps....z.-.r...ps....z.o.....s!...(...+(.....*..-.r#..ps....z.(....&.o.....(...+&.*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*....0...........(......%-.&r7..ps....z}......%-.&r...ps....z}......}......o

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33872
                                                                                                  Entropy (8bit):6.563086985369541
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:T2x4wbbh7Kx8kJ3yiW8/zKeGmBt1qm1CS1yvhGcRtquW3LUWTNyb8E9VF6IYinAW:5wvh7KxdlW8Jvr5EpYinAMxC2n
                                                                                                  MD5:AE55839BDB2A80A88E423363DE26646B
                                                                                                  SHA1:216B449838A7C2FFD182D1B78BD1FE4DA4E60BDE
                                                                                                  SHA-256:274B5887C6D0CEAAF7CBC6D613FF7D69EFA6314AF7950C75E5F91ABA421A60B0
                                                                                                  SHA-512:AF7EA961214F17A09A27AF932F8528162C876E5D74410AAA6D96BF4F8412EECD6F93DC28F7F657BFC7D92486480AABCC45AD5E35B6EDF61272E6F68F5B40214A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W!..........." ..0..R...........p... ........... ....................................`.................................9p..O....................\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B................mp......H......../...>...................n........................................(....*^.(.......E...%...}....*:.(......}....*:.(......}....*:.(......}....*:.( .....}....*.0..+........{....o:......+......o!....o".....X....i2.*:.( .....}....*2.{....o5...*..{....*..0..P........-.r...ps#...z.o$...~....(...+.o$...(...+('....o$...(...+('....o$...(...+('....*..( ...*.~....*.*.(....*.s.........*.~....*..( ...*.*.s.........*..( .....}......(......}......}.......}....*..{....*..{....*"..}...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45648
                                                                                                  Entropy (8bit):6.394614635924562
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:vX8pDT8XP6hA+wMaLWCzAVLOPnyEpYinAMxCwC:vXiDTaP6hfY1GOPnT7HxRC
                                                                                                  MD5:6543EA508CA44C208A5E7387188069B8
                                                                                                  SHA1:639C57EF6A4248852E799FD6FE085EA3362CB856
                                                                                                  SHA-256:C562A4A38C9FB59873702712D070BC97D10BEAEF5257577CDEC7CB38101B017C
                                                                                                  SHA-512:4F70074085869A750552A51F8F43517688DCF789327F000795F56F87E4A34CFF1AC7D7B1988E09F1E8F67360A1C24166303D5691FEE033A9FF4D81674FC56C99
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....+..........." ..0.................. ........... ....................................`.....................................O.......(...............P(.............T............................................ ............... ..H............text....~... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H........=...X.............X...H........................................~....*..0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r...p......%...%...(%...*...(+...*.(....,.r...p......%...%...%...(%...*....(,...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23632
                                                                                                  Entropy (8bit):6.6336314644715
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:noePm+VIkOdHt6Zx8HignlSZYT9zWzL0WtNyb8E9VF6IYinAM+oCD7P5V:lPzVIko9FD9o3EpYinAMxCnP
                                                                                                  MD5:B04F71ECBEB0CD1FC15679B5F2C83C18
                                                                                                  SHA1:69C7C2D7B66967CD707FF58D7076162BD978AD1F
                                                                                                  SHA-256:019127850A8B5942C77ADA38D80BCCA4ABD739BD78A038DDD0C5A04AB817B092
                                                                                                  SHA-512:24A75E1F6CF53CAEAD02BC9A0E7A73B163B83B111333656F5FB5BF36AA9F93F4B71C24F22B30774D902ED51529361B529775C9F2EBDB75114E95D2E8DD48509F
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................Y....`..................................H..O....`...............4..P(..........tG..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......$$..."...................F......................................:.(......}....*..{....*:.(......}....*..{....*..{....*"..}....*V.(......}......}....*..{....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..-.r...ps....z.o.....o......(...+&.*...0..V.......s.......}......}.....-.r...ps....z.{....-.r...ps....z........s ...o...+&.o....(...+&.*...0..).......rC..p..(#...-...o$.....+...........(%...*6.~&...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59984
                                                                                                  Entropy (8bit):6.316388481082354
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:+CD3yk2B8+9PwwOxC8wZLq6J4q2r0qafouRVPvW3nEpYinAMxCxq:hkB8+94xxBmm6mqaBafouRdiA7Hx/
                                                                                                  MD5:692E60666691AA7C7A3D41B9B84E9671
                                                                                                  SHA1:C16EF8101414C2850C788DD728E2F1134286A4D1
                                                                                                  SHA-256:D73BCD766C323469E4DDAA3E28010CDC1BADBF18DFE9914B0930AE3496E6CF1E
                                                                                                  SHA-512:28CA49180AD5EFD477B957D52786E52A27A732302B0CDE634ADE7AF8A8A9F25DBD06E31245A7EB323308859216650CAFC072BF21CC1DB4FA45BC77B1BF1C0BD0
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............N.... ........... ....................... .......>....`.....................................O.......H...............P(..............T............................................ ............... ..H............text...T.... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B................-.......H........F.............h.................................................( ...*^.( ......?...%...}....*:.( .....}....*:.( .....}....*:.( .....}....*.~....*.0..........(....,..*..(.....o!......&...*...................0...........(.......("...-..,..*.*.(....,.r...p......%...%...(#...*..($...*.(....,.r...p......%...%...%...(#...*...(%...*.(....,!r...p......%...%...%...%...(#...*....(&...*..,&(....,..r...pr...p.(#...('...*..((...*.*.(....,.r...p......%...%...(#...*...()...*.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41040
                                                                                                  Entropy (8bit):6.341422324702679
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:zlx+oQSHqk49NI0OP7NWEfDkkuiEk3LViMEpYinAMxCog2:vVQSyI0OP7NxfAkuiEkbwF7Hxf
                                                                                                  MD5:E6187CE82E5FDBB4814DBB4B75DF1A33
                                                                                                  SHA1:CA55691C125C9D8F7E3573A4EBDFCD5C6CD8576C
                                                                                                  SHA-256:B8D387926AF32BA9B40CC21C15B20B7458EACDE96AAD1A10B36365B66CCA184D
                                                                                                  SHA-512:D5C98142E58CAE512FDBCC8D5C4F639D4589FB022C79272E4530816F7D22C7595A93E9DADBD2636351B6DA10D3754DF14368FB5A7AAEA110D63931DB2781E56E
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c.;..........." ..0..l............... ........... ..............................W1....`....................................O.......l............x..P(.............T............................................ ............... ..H............text... k... ...l.................. ..`.rsrc...l............n..............@..@.reloc...............v..............@..B........................H.......H9...E..........@.......P........................................~....*..0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r...p......%...%...(+...*...(1...*.(....,.r...p......%...%...%...(+...*....(2...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):697936
                                                                                                  Entropy (8bit):5.963248155050918
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:deos/POdGV5jfWrV/9Yeh9eRcyLfLYtT5mWxTZ/B7jW5JMtRRpKzQJ:d0/POdGV5jfW5VnhFyvOB7jW5JMtP
                                                                                                  MD5:3FC646321E6E41A6F6DB0F6D68CF0838
                                                                                                  SHA1:F2D15576C8BE70F68548CD040978DDD6B4204AA0
                                                                                                  SHA-256:9C850C7B7B45844B125076F3774F81B71A24537B7F187E597C4CE3C6026F913A
                                                                                                  SHA-512:6CBB07C0E3B5D7607F1B4D4A3A4E78164CE3EC48E70935BB60FE5EA1B596814EDACD9491703F0A7D279544E14FC4C00691EE70505B2A758617690C77682ACEBE
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..t..........N.... ........... ...............................F....`.....................................O....................~..P(.......... ...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B................-.......H........p................................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{Z....3...{Y......(....,...{Y...*..{[.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285776
                                                                                                  Entropy (8bit):6.198599890196997
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:5MiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcym:5MZpj06vUsMjbQ77D++
                                                                                                  MD5:5B74F4D8E9D47BD1F248193AF6100960
                                                                                                  SHA1:25EF85F59695D0D60B4FD0490AD39A6BBFE61DA3
                                                                                                  SHA-256:6BA0EE588B46E3D05A40955576E1D0F2C82EB315D254F1D3F587A9FC51A828EF
                                                                                                  SHA-512:63CA5F2E05A64028E084BA4760250B706836F8AE74A95F9F81262788BF49DD56E56FA371B3792B96C0F073DE45BF85FEA6AB8A67DEF5BD4325D7E9A37CF7E938
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................%....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):38992
                                                                                                  Entropy (8bit):6.295960647161023
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:gdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlo:gxuJRRsnHnyhQupytM9z7O3zfXYvj8rz
                                                                                                  MD5:B4DBAA3533A39B9374EC9A3DF9CFE2D0
                                                                                                  SHA1:38906D9D3FFF7C58CF4D2BC0C2F54A91EDF2CAC2
                                                                                                  SHA-256:73396F9B1AC255E3877835B4A4FA4E00623795040A1C54B14C4D504CA83480C2
                                                                                                  SHA-512:BF1534427C3C94FF19C451E19887852A530FEAC1C285D65AFCA782374558F041CC85EB3F4BC37014809A19E2E4F8643842B9AAC5E92A1DE9C0C613096A6A185F
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27728
                                                                                                  Entropy (8bit):6.554466088668113
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:JSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKq:JSCZUl2O1zCnXyzD6EpYinAMxCkT
                                                                                                  MD5:643D074241473A3DA524DCF514C1AE47
                                                                                                  SHA1:7AA5A6CE315CD3DECE4F5A14F92A3C13F99514AB
                                                                                                  SHA-256:5763B143306B3EAF23871C4DE30F726A024A68A395E26C1CD0EA3D873CA6EA03
                                                                                                  SHA-512:6947C00384C518DB1CBA1BA19F65735D01A7DCF96CD2267FCB927164E6392786D7037BDE8C6984193E96A753A874252E22BDC6F5AAA3C75033A79D5356221E64
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ....................................`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41552
                                                                                                  Entropy (8bit):6.321443170649413
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:VUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCZv:mLrgfPw3mXREaX7Hxwv
                                                                                                  MD5:0433BB0C58BFD97CECEB68FD52A542D7
                                                                                                  SHA1:AD638A6A23C0516285338F5FDA7C1AF3BF0BE4EC
                                                                                                  SHA-256:7E873F261F95AEC61C2C7F6D05768C7306C3DD267128286FA646E2B6DF267CDC
                                                                                                  SHA-512:894526AC0ED29E296D4987F36CDC44D933408E8182C185FF5488355AE3D20C1896EA675BE0D27C58A74156DE3B17E7DD72B88CFBA4A0F9EBFC54FA3E51B21FAA
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ...............................d....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138320
                                                                                                  Entropy (8bit):6.160678928460797
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:MobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQK:5bKKz1UeZk/Phv8lDuPai
                                                                                                  MD5:D755ED4DFE2F19DEB11ADE5CE5070F6D
                                                                                                  SHA1:F5A93E6C45004CB49398A54490F831CDAFF4349B
                                                                                                  SHA-256:936E73360824D627B42DD5401F8BC884E2B3B1D8A27267884275EB524CD7D672
                                                                                                  SHA-512:C49ABBDA336276A7DF68BF41355E23A52B6DD24079022A56A98C0B18D50FDF37BD3F469072B3F7903C94F7B7420E2CFCAC5A702D65155E0AA6C8C1AB2886EC1A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`.......k....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52304
                                                                                                  Entropy (8bit):6.150052387080182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:sb1yYPvLtCJY0E+F3xeHwNaleirtqCVlXmL+7NQ1OaY7c4EpYinAMxCODiTdS:sb1yYPL0E+F+8inVlXNP7cB7HxNkS
                                                                                                  MD5:60DCBA37E0501E08289CF911B0153FBE
                                                                                                  SHA1:ADE883B487F4C2B359510E417BEB16E74166FE76
                                                                                                  SHA-256:8C28A5CD3B8FA97CBD2B4C4D269EC409AC2680576B47B1E110BC79DD475514D1
                                                                                                  SHA-512:77EE88BB8D745DB3E6D9FED894B5B3275E353FEC6557663E60188BF4FB764BDECD89CA89950D5223E15446D93EE2DDB181A37DFBBFA182963DD72E23F80E114D
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D............" ..0.............n.... ........... ....................................`.....................................O.......................P(..........,...T............................................ ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................O.......H........4...h...........................................................~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()...*...(/...*.(....,.r...p......%...%...%...()...*....(0...*.(....,"r...p......%...%...%...%..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):799856
                                                                                                  Entropy (8bit):1.7597847647294211
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:g/r3V645uWOL8/pCuPHnhWgN7acW5RjroUEKup3JdqnajvsKyhr:gx6Yi/uPHRN7y/oU7aJdlrsKK
                                                                                                  MD5:6A205C78D14FA91EFCA3AE531D1FF7E8
                                                                                                  SHA1:9E26E81DFDBA74AE261912993DE875D13BB0891C
                                                                                                  SHA-256:6444DFA03609248EFFD398E8562AF484AD0163A6C47CEE6D3A287FFDEF809AD2
                                                                                                  SHA-512:FD797F528519BD9B864394C2A45AFA5C7F94F58D1F2B55E0017987FB521C9F7292DBE1366BE778E60352FA8F9A08C10B7299AEA39DEEEE3A164BB105857FE7ED
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.$..........." ..0..............(... ...@....... ..............................Ap....`.................................q(..O....@..l...............p$...`......h'..T............................................ ............... ..H............text........ ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID...,...l...#Blob......................3..................................z...............\.....0...........-.................C.................[.....x...........D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.,...3.H...3.^...3.t...;.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):132200
                                                                                                  Entropy (8bit):6.172481694612173
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Nw50BNfe5FxLyWnongSwUp+k7bAMZ7cPd:CKNfQxRncgS7bBZ7y
                                                                                                  MD5:2D13C1C8539D6FD7A0717941BF0357AF
                                                                                                  SHA1:0E70EA88A866BAF660950FE74482149456557BDC
                                                                                                  SHA-256:644BB3A1AFBEA6B835422B0987376F04796E38BBBECC08C94023638EEBE57F4C
                                                                                                  SHA-512:A52AE3560B22C354F5CE89358219A7FA2FEAA12B376F72B8B53E6ED5E4B02703777CF1678744E7C038C29616975C0E63DFE17BFCB0A9D53B394452EC17AD979F
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.D..........." ..0.............&.... ........... .......................@.......(....`.....................................O.......................h$... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................D.......\......................................."..(,...*2.{-...(....*"..(,...*2.{-...(....*"..(,...*2.{-...(....*.~+...*....0..........(+...,..*..(6....o.......&...*.............."....0...........(,......(/...-..,..*.*.(+...,.r...p......%...%...(0...*..(1...*.(+...,.r...p......%...%...%...(0...*...(2...*.(+...,!r...p......%...%...%...%...(0...*....(3...*..,&(+...,..r...pr...p.(0...(4...*..(5...*.*.(+...,.r...p......%...%...(0...*...(6...*.(+...,.r...p

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1966298
                                                                                                  Entropy (8bit):7.9989725851892
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:HELBDnMsmlLa7SwvAQAQI3/ehJQmjJaLbjvQInz96/pU7jy5EFgxivT9rnzvDbOU:kJMJig3/ekmlQjvQQLUNxqrzrmniuxa
                                                                                                  MD5:B110BA42CA8D339B18293AC3F1E94F03
                                                                                                  SHA1:E21AC41D052159076B34823D2653DB0DECDF7F8C
                                                                                                  SHA-256:C860712A06A55CDDDFED7A9F86F0DF36DA1E475B9901148D07D5B02331BA0F77
                                                                                                  SHA-512:D81EFA032F3FF5EDC247440CFF1E911A82230B757C02534209FEAD7ECF630FE5308F9A32A78CC229F175CB447735D539EB61039BFB4FF9F8E77B8DBCCDA2B0BA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK........@BrX................Agent.Package.Watchdog/PK........0BrXG...>.......7...Agent.Package.Watchdog/Agent.Package.Watchdog.deps.json.6.J.U.,..{..d.....7......#L..I.....L.PB.=...H.^Hnw....tq.!Ym.w.%@'.I.Xa...6|...@.z.V+C...o.Nu...!*..t....4..A...l..$....KX....p..&......?g..*..../.....I..(...U..g.4..BD.......i.J.+:........'..8...n.~j..,.[....Z.@l...t...d......9.X..8e..=..?..`....V>.......@A..D.........~. \:H..9..p.+...\.PGT8......~...AJ....... ..E...X..RJ.9.v.....;.i.#C.._..d.c.z..:....m....5..*...7....Jx...T....b.z..p.0f...8..ya..p6..ns.K,X.t...`{.j.....N..^.....A.....'n....ES...y.8b.....?Cg...}.......mjEg'.!Zs.,..o..3...~,E\........s..\.<.T..("..qMG)7f))X..x..Y..R..........k........z.r..[X..P....w....).k,.[.X[..4.z.)..Cy.e.D{.V|J.u..W..Bk[...<.o.@L.. .....s-.*..)....E].y'.....r....pQl^O..#......S.R.4.].b..E..e.i.:O..g..k...*...4..5...:. .."..y./....U....2......?.\C.....a...COlQ...XE....j..j........X...1...6.o.j.W....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.deps.json

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):39359
                                                                                                  Entropy (8bit):5.001117795800814
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Yt5DUarXaaec21v5Oc5/MNXP4RBTEQ88jnfA:YvDUarXaaecC5Oc5/mXP4TTEuA
                                                                                                  MD5:B4CB4604F8C7F02757664874D862DD77
                                                                                                  SHA1:6FDB3AEBCEAAFBCFE21333DA021DCD96F8B78B7B
                                                                                                  SHA-256:54289873BCDBAD889E6304E7E1B21D5973BBDD0E1AA73BD19382CFA23713D1CE
                                                                                                  SHA-512:46C27C62CE35512643EE023630A264BFBE1CA41B18BA44E1659B3AF26C0A44E3ABA73D7B90DB77835A76CEE33035791887B722348AA98CB2C4CC9B32F30CEF01
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {.. "Agent.Package.Watchdog/1.5": {.. "dependencies": {.. "Atera.Agent.Package.Infrastructure": "1.2.4",.. "Atera.Agent.Package.Tools": "1.0.22",.. "System.ServiceProcess.ServiceController": "8.0.0",.. "TaskScheduler": "2.10.1".. },.. "runtime": {.. "Agent.Package.Watchdog.dll": {}.. }.. },.. "Atera.Agent.Package.Infrastructure/1.2.4": {.. "dependencies": {.. "Microsoft.Extensions.Hosting": "7.0.1",.. "Newtonsoft.Json": "13.0.3",.. "Polly": "7.2.3",.. "Serilog.Extensions.Hosting": "5.0.1",.. "Serilog.Sinks.File": "5.0.0".. },.. "runtime": {.. "lib/net6.0/Atera.Agent.Package.Infrastructure.dll": {.. "assemblyVersion": "1.2.4.0",.. "fileVe

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35920
                                                                                                  Entropy (8bit):6.456207579215664
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:kj2zXcZGQ2FEagbbE9xEHCC+ud1VEpYinAMxCin:4YCauE9xc+K1O7HxF
                                                                                                  MD5:1E283F1A342729D63266E2DD2C851E2F
                                                                                                  SHA1:47B2551B2F9C3E9E6F2D68E67B1E0D0A539F315E
                                                                                                  SHA-256:98CE24EFC2EF680BFCD5D98E3AC273B148B0828D256ADBA003F57F66E1EC7FC4
                                                                                                  SHA-512:BD84EDA89C91DFEFBAEB6EA952A3BAF2EDBDBCDAB08B5A4437DB2A1F21F82A7BDDBDE9C12C00FEC8CD99FCE75CD945D189EED083BD0AD77DB00353B631DD5D20
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^-............"...0..Z..........2y... ........@.. ...............................r....`..................................x..O....................d..P(...........x............................................... ............... ..H............text...8Y... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B.................y......H.......84...D............................................................{....*..{....*..{....*..{....*..{....*..{....*..(......}......}......}.......}.......}.......}....*....0...........u.......;.....9....(.....{.....{....o....,w(.....{.....{....o....,_( ....{.....{....o!...,G("....{.....{....o#...,/($....{.....{....o%...,.(&....{.....{....o'...*.*.*..0.......... ...9 )UU.Z(.....{....o(...X )UU.Z(.....{....o)...X )UU.Z( ....{....o*...X )UU.Z("....{....o+...X )UU.Z($....{..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):159824
                                                                                                  Entropy (8bit):6.224052560324469
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:5czkitvo4BpYN/6mBPry8TXROLdW5m4mUR39OOGu0kpNY:5A4NCmBPry/N2jOOHS
                                                                                                  MD5:0B7534A49A757D7525F7FC966D6CAF5F
                                                                                                  SHA1:2548A8D4BFE81D194A42A6DF1761AB910DECCBCA
                                                                                                  SHA-256:312755B522A3CB212A2D5E0DF2888699C35DE233A2DC198C37475E2BF414B0A1
                                                                                                  SHA-512:4D3105E7669093DF8364543571D839D0FD573153EED27D82860984797FB30853C3F5FB7707BF97442D4AB71783012FBBB3D9AB1A2D6ACBEA335F06B756FD4796
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........}.............../......./......./.....a.....S../........"...I../....I../....Rich............................PE..d......e..........".................`<.........@..........................................`.................................................t$...............`..@....H..P(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.reloc...............>..............@..B.rsrc................B..............@..@........................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13
                                                                                                  Entropy (8bit):3.7004397181410926
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhUkov:Wtov
                                                                                                  MD5:4F935A094C5DB43100C1C6191F1D2257
                                                                                                  SHA1:D35F739210BF40D4E936975C00BF90F015DA6847
                                                                                                  SHA-256:01AC8D880AA7CB47A4C9475593AC81924D0D51CEB9C3276BA11F5848AFA05FE1
                                                                                                  SHA-512:C60461AE0FE1DF07D67FC55012DCDA8E2615DBCEAA885EE1DB9FB2E4FCF71990730FBFA10300A957D8E1908D1B9FA61A36A665ED63C934E07958DC73606C5AF3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=1.5..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):253
                                                                                                  Entropy (8bit):4.585549446641918
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:3Hp/hdNyhAkI/XCkyFNOJeZS1sHZeQ6NOCUo+K8EkNTy:dFkp5MeU1s5hex+K8Es2
                                                                                                  MD5:24E4653829DE1022D01CD7DDD26E2F22
                                                                                                  SHA1:9160A009CB381E044BA4C63E4435DA6BFEB9DC6D
                                                                                                  SHA-256:DED3AEB5856A11DB0B654A785574490CAB55839EBFB17EFE9E39B89618FC5B91
                                                                                                  SHA-512:EFD4BBBA1BAEC0B47003831510E3AA539DB9EF468E0F06BA9D7BA6D0B3800035F7C818D7D90171BFD377EC97D08C4617555BCFF635DD83EFCEB412B1A9CCA820
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "framework": {.. "name": "Microsoft.NETCore.App",.. "version": "6.0.0".. },.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53840
                                                                                                  Entropy (8bit):6.300468155319662
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:4dUSqld/oh93y+UR4ULL4L88EKNoo9sXQqt9EpYinAMxCQr:4d2P/phL4L8KGo9sgqt27Hxb
                                                                                                  MD5:355567F26142F9101526CB91F98FB03D
                                                                                                  SHA1:B7D5B6C9D78A4C7F4775F79F68B640D2E90DF1E0
                                                                                                  SHA-256:6D81FB3829261543D93FF02BF239BD25A39E41DCB645381F0A8C9D53E8694A68
                                                                                                  SHA-512:C72ADB068410D53C085BC5DEA0CADB6D2C55603566923C12547CA2D897D1F238F706BD1F7A046E97A8A21C95DB4B97EE70A32BD559437508B65887686CDBE6A3
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.(..........." ..0.................. ........... ..............................B.....`.................................X...O.......t...............P(..........P...T............................................ ............... ..H............text........ ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B........................H........I...t............................................................{....*..{....*..{....*r.(......}......}......}....*....0..Y........u........L.,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*.*....0..K....... M.. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o ...X*..0...........r...p......%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....%..{.......%q.........-.&.+.......o!....("...*..(#...*^.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):66640
                                                                                                  Entropy (8bit):6.273913453163328
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:PO4QNCMhTIDWo+hDbEicjIeoCtU1a1ZTG/2u2Xv2vFbanu5fEpYinAMxCIiO:xQTIywi3eobgTG/2u2/wb0u5Y7HxwO
                                                                                                  MD5:90916CE0E528B775C1179E96F86CA200
                                                                                                  SHA1:6F64812C50EC9E6672CB088903F913168F35430A
                                                                                                  SHA-256:BB828056E376EF41E40F212FB6AD2990227CBCF821D4835263180C4768795249
                                                                                                  SHA-512:EB027447FB79E3E0A397EF173205596C8DFA936C9CB0F88B9A27ADFBB0F3E1B4E28F18FC907F3BFF2C4A39BB03B8131A5998E90F2BA60E4F522B7BF36D1C18BD
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|.t..........." ..0.................. ........... .......................@......)T....`.....................................O.......................P(... ..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........_...............................................................(....*^.(.......J...%...}....*:.(......}....*:.(......}....*...0..T........(....(....,..(...+&.(...+&.(...+&(....,..(...+&.(...+&(....,..(...+&.(...+&.(...+&*.0...........(....&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&.(...+&*".(...+&*".(...+&*".(...+&*.(....*.(....*..(....*j(.....%-.&~....(....o....*j(.....%-.&~....o ...(!...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):186448
                                                                                                  Entropy (8bit):6.958336672022744
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:ChOh6zHpz7YSkfd6kUYm4wlb6QAGcbLQpgjOHopZb7UsUDfAbmn1F8mkmBC:ChJ177+9jQAVph4sUDfAbm1F8MC
                                                                                                  MD5:6DDA20C58ED67382D0B5D7A17FAF6A4A
                                                                                                  SHA1:5C39B32EDAA98E70BF01DACE2C59D6EC304F8DD1
                                                                                                  SHA-256:43EFFADADAA2FD01EE7DB52BFEC67F9A1E9E2F8FC276B4EC244BB24B854315BB
                                                                                                  SHA-512:8984AFB415FC19ABB4358455DE47FD4FB3EE75F005772AF4204508F1DB47B21E93EAAC7410FB5001BC59F922A5489599FAFCBF589B6DCBD891C9686C8BF46B71
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............:.... ........... ....................... .......:....`.....................................O.......$...............P(..............p............................................ ............... ..H............text...@.... ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B........................H.......0.................................................................(9...*^.(9..........%...}....*:.(9.....}....*:.(9.....}....*:.(9.....}....*....0..G.........(:...}q......}r......}s......}t......}p.....|q.....(...+..|q...(<...*..0..G.........(:...}x......}y......}z......}{......}w.....|x.....(...+..|x...(<...*..0..G.........(=...}c......}d......}e......}f......}b.....|c.....(...+..|c...(?...*..0..G.........(=...}k......}l......}m......}n......}j.....|k.....(...+..|k..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29264
                                                                                                  Entropy (8bit):6.524120604887875
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:9+q+2Vv/+usFlLVyKo/9ETG/DwzzRjz69M1ZVMdWs6NWsaaNyb8E9VF6IYinAM+R:9+EF/CvyKohrqnDEpYinAMxCtz
                                                                                                  MD5:8A86E5FF5D774C00992E276CFACECF80
                                                                                                  SHA1:F19FD07AE29B32579E75A0E4E738EF878835A037
                                                                                                  SHA-256:BB6667D93A1258A76DF2C007083A1E7CC000BB5BEA3195544EAC733C6259A540
                                                                                                  SHA-512:B35960BB4908F05602D375AD24316E293B05FEC90A6E366D32F3CA7CA37BDBE0158F572EAA7BB8C6C387691DAA2AE213258603E4658BA99767FDC0D9BE4E5972
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N............." ..0..>...........\... ...`....... ...............................d....`.................................{\..O....`...............J..P(..........d[..T............................................ ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............H..............@..B.................\......H........(...............W..X....Z........................................(&...*^.(&......8...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....**.-..(....*..s'...z.~....*...0..........(....,..*..(.....o(......&...*...................0...........(.......()...-..,..*.*.(....,.r...p......%...%...(*...*..(+...*.(....,.r...p......%...%...%...(*...*...(,...*.(....,!r...p......%...%...%...%...(*...*....(-...*..,&(....,..r...pr...p.(*...(....*..(/...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):42576
                                                                                                  Entropy (8bit):6.408969180714612
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:uThLeDjUB16TI1CQ12cMcFgL/l5d4EpYinAMxCB:uTvB71dEcME45dB7Hxy
                                                                                                  MD5:071B50004B2ABE329A964ECD09A7E896
                                                                                                  SHA1:08D2A3056856235113C43CA3FA27D47C759F7EB6
                                                                                                  SHA-256:E8C446C1ACC2E0BC2DC9A80E286456B9A84B5DB5B1D4101C612BBFBD331EE0A9
                                                                                                  SHA-512:6608AA59D25BB19F7B34717083C8BD60CFAFD299D982445BC491C12E265C9BDFE92A23CCE45074583184C6F2A128CD2646EF05DF59FC82C7B5CF4D8F3046E19E
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f............" ..0..t.............. ........... ....................................`.....................................O....................~..P(..........|...T............................................ ............... ..H............text....s... ...t.................. ..`.rsrc................v..............@..@.reloc...............|..............@..B........................H.......4:...L.............8.............................................(....*^.(.......A...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25168
                                                                                                  Entropy (8bit):6.670940956884048
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:wYEMITBweJkneGO3WKGW9anWsVNyb8E9VF6IYinAM+oCOScXu:2TBwa7dEtxEpYinAMxC+u
                                                                                                  MD5:D950E5EC874F7C62306B93500FD36BBA
                                                                                                  SHA1:530F5F348CE9B50C396629A16F6F815F2495722F
                                                                                                  SHA-256:416CCF9CDAB49BB9DC2B4259E0D5B4434540AC82C1BC166F85D3CBD9F8942D4D
                                                                                                  SHA-512:B374D9A55A99603CD623D0876CEB8235FC235A09C8DA9BD0FEF9AFB2EA11574811E9073AFAF6DB56697AA3E75546BC61F029384404544D0299046EF239406E96
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1............" ..0..0...........O... ...`....... ....................................`..................................O..O....`...............:..P(..........xN..T............................................ ............... ..H............text..../... ...0.................. ..`.rsrc........`.......2..............@..@.reloc...............8..............@..B.................O......H.......d&...#..........hI.......M........................................(....*^.(.......-...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21584
                                                                                                  Entropy (8bit):6.717352450932083
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:N6jxRm3soGTeZeszQm31WUKeWsJNyb8E9VF6IYinAM+oCen75ikD:Mj23spTeZposNEpYinAMxC7kD
                                                                                                  MD5:C2177320BC76C026D8C554D8CFEC1F2F
                                                                                                  SHA1:A208DC6AE7A5FE8FBAF5F5FDAC980B0360A667EC
                                                                                                  SHA-256:F971952E34D3BFA8263D8B5FD7F4F251B9D8C969E3EC2325AF0A3BFFD43DC946
                                                                                                  SHA-512:39A7258DF35A89A6A9B68220CA0AD159839739F8EC6DF987EE7C53CEBC2B55C44A3FD81718F620B45B14EB6AF2075A1AD5DDFA895CF34B71A0947B1BEF7CE389
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s............" ..0.."..........NA... ...`....... ............................... ....`..................................@..O....`...............,..P(...........?..T............................................ ............... ..H............text...T!... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................/A......H.......x#......................T?........................................(....*^.(.......$...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.s....o....&.*V.s....%.o....o....&.*"..(...+*v.(.....~....}.....~....}....*..(......%-.&~....}......{....(....}....*2.(....(....*..(....o....r...p.{....r...p(....*..0..........(....s......o.....8.....o .......(!...t&.....o .

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28240
                                                                                                  Entropy (8bit):6.602224449204335
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:pzp434gr92+liFe/5XjtCZ0UaFoSc43IXABPpBzWq66WstNyb8E9VF6IYinAM+ox:5xk1/9jtGhScRwPpByoJEpYinAMxC8LX
                                                                                                  MD5:A9BB401E3DE7FB6FC038DC6BDC27591B
                                                                                                  SHA1:CB1CC3D6E4A603C1B25350D5E5581193A80D3D9C
                                                                                                  SHA-256:1B15C473C30E52A08ABDA9FFF9099E5A51EB8DB5733A7EFA29FCCEA2C17BDB6A
                                                                                                  SHA-512:EB5C0910134420FB6717039FD95CC819C24FA0F3288A83DD43363CFD902D3FD39686B3E0D74D29B0604DD771D7215DFF2EE39713D49A760E2113B86CF98BBAAC
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."..........." ..0..<...........[... ...`....... ....................................`..................................[..O....`...............F..P(..........tZ..T............................................ ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............D..............@..B.................[......H........(...,...........U..8....Y........................................(....*^.(.......3...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...( ...*.(....,!r...p......%...%...%...%...(....*....(!...*..,&(....,..r...pr...p.(....("...*..(#...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27728
                                                                                                  Entropy (8bit):6.567134242779113
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:SXLAulT7JkcAoWovkT7jF6zOFz3Ge1l68mWka2WsCNyb8E9VF6IYinAM+oCltvGw:mLAux7yUcT7jF6aYhSkCEpYinAMxCv
                                                                                                  MD5:97C4011B8FC681C68FC0D9A0AFE05134
                                                                                                  SHA1:E3C5A7264874ADAF421303D679637C35DC3A1EBB
                                                                                                  SHA-256:B9FA3DFD672088A280B1B6AFB38E9539B195B85D8351F6753D064D10F23A8617
                                                                                                  SHA-512:70CA32792A0FB2325BC511FA1A298D1D03AA7D8E72B6F1F05443C0FE2D8B01521A745F4F1C8D7CE1FC27E6AEE112E8C499B2FF79C885BADC774EDD942C732906
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..:...........X... ...`....... ....................................`.................................SX..O....`..l............D..P(..........LW..T............................................ ............... ..H............text....8... ...:.................. ..`.rsrc...l....`.......<..............@..@.reloc...............B..............@..B.................X......H........(...)...........Q.......V........................................(....*^.(.......;...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*..............!....0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26192
                                                                                                  Entropy (8bit):6.549189808431148
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:pMvnbB39p5YGTv9uuM1iFSF3yE1LlW9KCWs7Nyb8E9VF6IYinAM+oCUYO39:pKnbPplTv9uuLuVwXEpYinAMxCq39
                                                                                                  MD5:7D44B25B42F8273E1B95DB0D73671E84
                                                                                                  SHA1:265714D11A304A27443F9DBAFB33A2987C5AF845
                                                                                                  SHA-256:823154871F155DDCCB8DBE9DCC3078263A6C296D32524564E90B106930992987
                                                                                                  SHA-512:563E7DB622C13C19BA81E5C123C812A8FBEB4D50C6BB2A1686C728180A26CC246D369B1BB5B8536D28A2105CA9D8DA7C8108AE3EBE302CC180EF29BFA5C8B3A2
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,.<..........." ..0..4..........bR... ...`....... ..............................~.....`..................................R..O....`...............>..P(...........P..T............................................ ............... ..H............text...h2... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B................AR......H........&..$$..........(J..P...xP........................................(....*^.(.......&...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....( ...*..,&(....,..r...pr...p.(....(!...*..("...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41040
                                                                                                  Entropy (8bit):6.41098819814607
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:e054t3ibki5TCk3jqEr0WBum6JEpYinAMxCmd:ePtnUj/Lkmp7HxZd
                                                                                                  MD5:CA14EEE1F7605296B50D9471B3846A1A
                                                                                                  SHA1:E26129A1044FA6A4A85A8890D3569C3900E338D2
                                                                                                  SHA-256:F7CAB383114EDE19662B14EFADEAD8E76FE59954DE5464BA64E270587D738206
                                                                                                  SHA-512:8EF77602DD6D4F86E3607A287F8E07567B216D73FA442FD7B9165B1087D2712817FAB690107EC23929EB519560CFAC897FE6C794B941A6E69CEE6D3CF661DE63
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...mq..........." ..0..n............... ........... ...............................B....`.................................a...O....................x..P(..........d...T............................................ ............... ..H............text....l... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B........................H.......p8...M...........................................................(#...*^.(#......A...%...}....*:.(#.....}....*:.(#.....}....*:.(#.....}....*:.(#.....}....**.-..(....*..s$...z.~....*...0..........(....,..*..(.....o%......&...*...................0...........(.......(&...-..,..*.*.(....,.r...p......%...%...('...*..((...*.(....,.r...p......%...%...%...('...*...()...*.(....,!r...p......%...%...%...%...('...*....(*...*..,&(....,..r...pr...p.('...(+...*..(,...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45136
                                                                                                  Entropy (8bit):6.259777287029036
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Kq+RszBJV7CkN9YxrIvw2DLBjYAQP0+lyJ9PPAEpYinAMxCsi+x:Kq+SSkNNjdQc+cJNh7HxJiy
                                                                                                  MD5:0E56D17A0B873639366047CE26A5E063
                                                                                                  SHA1:491A1C758D27BBA08ACF9CFC87468988545835F0
                                                                                                  SHA-256:559CDE153D2C725745796BE20B7FE5C197DBAFBFBC3A2D4C44CC025DD75AF8ED
                                                                                                  SHA-512:A026E4CA433846D0DC3FB53826770DB45C8D765B1705D6C0DF45991440809AF2134F8608E2E0DCABBBD539049E72DA701F2951337B6CFB3ADDE43A72A739A578
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r=..........." ..0..|............... ........... ....................................`....................................O.......................P(..............T............................................ ............... ..H............text....{... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B........................H.......<=...U..........P....... .........................................(!...*^.(!......E...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):85072
                                                                                                  Entropy (8bit):6.2673588925221
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:nNNgvCsvGPrpqSMo4Z9M4IIWSYe2Kbj5u6fjQ+7PMMcmnJz7Hxfp:nMCsvGPPed5ZfjQ+rBvJzFp
                                                                                                  MD5:68E188489CD2966EF4B9E8864B5236ED
                                                                                                  SHA1:23A5FEA5C4787804CF140741AA35F7CC55229977
                                                                                                  SHA-256:97BA41B72AE55EA3FC47A6D48769638F608F8AD498A0A81E4780C42C45F34BC5
                                                                                                  SHA-512:C14EACFA5ACCAFE998FD55868A91FAFDB3A23031A6DBECCCD76ADAE1E4F43C414C6C3AEBA4D4F4FEF04E0FCA8CB6B7F08017937E353522775924F1992377235A
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.)..........." ..0.............28... ...@....... ....................................`..................................7..O....@...............$..P(...`.......6..T............................................ ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................8......H.......lj..............$%..0...T6........................................(&...*^.(&......s...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*.~....*..0..........(....,..*..(.....o'......&...*...................0...........(.......((...-..,..*.*.(....,.r...p......%...%...()...*..(*...*.(....,.r...p......%...%...%...()...*...(+...*.(....,!r...p......%...%...%...%...()...*....(,...*..,&(....,..r...pr...p.()...(-...*..(....*.*.(....,.r...p......%...%...()..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23632
                                                                                                  Entropy (8bit):6.618432341469682
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:OVAko1Z0S/oj6ETt9EQMVSz3PMA2oWs6hWso4Nyb8E9VF6IYinAM+oCqJ2qui:O3m0SM3Tt90Pl7fEpYinAMxCa3x
                                                                                                  MD5:AC95850E08238CF3A6FFC51D47BCC1DB
                                                                                                  SHA1:06CC0E13887DC0030A0DFFE067E01BE77D75CF4B
                                                                                                  SHA-256:B788F714E91102C2D34FF5E20A07F7408E9EF74343871942E5889612EBBE70A5
                                                                                                  SHA-512:58B35DA53926365A3502BCDE514E34C3159EC5DF7672527C884FF5057FF1089F0124EE79F66EA79E6004DF4CD14805C4495C43AC0C38AA07851303F3FAFADF15
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P............" ..0..(...........G... ...`....... ....................................`..................................G..O....`...............4..P(...........F..T............................................ ............... ..H............text....'... ...(.................. ..`.rsrc........`.......*..............@..@.reloc...............2..............@..B.................G......H........$...............B..@....F........................................(....*^.(.......(...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*..,&(....,..r...pr...p.(....(....*..(....*.*.(....,.r...p......%...%...(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45136
                                                                                                  Entropy (8bit):6.430057016218873
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:FxddbVKFC/2DfTMFeuzpdUTVoIEu3GzN/EpYinAMxCMe:FNxxAYFeMpdURZEu3S+7HxZe
                                                                                                  MD5:123D79B76609A0E1B4E7977FF4283822
                                                                                                  SHA1:E4F25CDDCF76FFB2569D22D2090D32B33A98512B
                                                                                                  SHA-256:871B2C2230BF4079699D34AFD6A262B7FF362431D7B2A0F4C3539A6F7D1C267C
                                                                                                  SHA-512:C4EF8889F3DED86FBDE77EFB0A017B14F6888984F0F9A7B12FCC6CD782816B78878B0F853EF2BCF0A18F6C7966D8E495B62CF11B8EBDDBA94440FFA2F2A51AF6
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....s..........." ..0..~..........&.... ........... ..............................k.....`....................................O.......p...............P(.............T............................................ ............... ..H............text...,|... ...~.................. ..`.rsrc...p...........................@..@.reloc..............................@..B........................H........;..(Y..................D.........................................("...*^.("......V...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z.~....*...0..........(....,..*..(.....o$......&...*.............. ....0...........(.......(%...-..,..*.*.(....,.r...p......%...%...(&...*..('...*.(....,.r...p......%...%...%...(&...*...((...*.(....,!r...p......%...%...%...%...(&...*....()...*..,&(....,..r...pr...p.(&...(*...*..(+...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):47184
                                                                                                  Entropy (8bit):6.373451878905772
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ekfEnkM0vRbJ05axPAONhO+JZIkp5ygv/MFKEpYinAMxCz:LEkMoRxtzIk3ygv/Mp7Hxw
                                                                                                  MD5:83CBC69E9A528F906F2EB5B9528FA378
                                                                                                  SHA1:0638CA4EB918BD9A7D68C5731D831B57E5D48019
                                                                                                  SHA-256:5F7223586AE47F001319524B3A9BC4B635A0D44870733D46FF1BFF780485C4C2
                                                                                                  SHA-512:DD817FBDA24F1DC42C83C44D8A301123D5751895F5C542FDF3CF82CA1459B7728D897C3B3C5F1E1915282B7B4968F93ECB6D0DB4ECF80E79093C4F2B47B9420B
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....*..........." ..0.................. ........... ...............................y....`.................................k...O.......H...............P(..........d...T............................................ ............... ..H............text....... ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........D...X..............H............................................($...*^.($......@...%...}....*:.($.....}....*:.($.....}....*:.($.....}....*:.($.....}....**.-..(....*..s%...z.~....*...0..........(....,..*..(.....o&......&...*...................0...........(.......('...-..,..*.*.(....,.r...p......%...%...((...*..()...*.(....,.r...p......%...%...%...((...*...(*...*.(....,!r...p......%...%...%...%...((...*....(+...*..,&(....,..r...pr...p.((...(,...*..(-...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33872
                                                                                                  Entropy (8bit):6.465515280994496
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Tup+kjcS4GAF7ItpTYbg8lAZnsboXAEpYinAMxCnpD:Ti+YoF7Itmbg82sboZ7HxS
                                                                                                  MD5:B4B6928B6ABD9BA62549019FC1B6FF19
                                                                                                  SHA1:AFD5DEB02D315D70867335839BA2208DCDD94D88
                                                                                                  SHA-256:03BCCF47620E2795ACDF4519C3E21E2C9009908A7B4CF39312DF8560CD3B4815
                                                                                                  SHA-512:219472590F21237FBBC3F6F31D4C1320E356C5C13DA41AB0B538A2E9F0788B59E4E847E52177719F90B90BCDF496E21CA5A894E019C5BFF923AEFD1774E07ADF
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Kq..........." ..0..R...........p... ........... ..............................r.....`.................................;p..O.......8............\..P(..........0o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...8............T..............@..@.reloc...............Z..............@..B................op......H.......</..,<..........hk..H....n........................................(....*^.(.......I...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):66640
                                                                                                  Entropy (8bit):6.302989427949227
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:syK1UG8tMAv0by0P/vGCnbr1hmiBPIIk+n7Hxu:sykl8tla/nbr1kiBx3nI
                                                                                                  MD5:3FCB549ECB9D84B10FEF1727AB043DF0
                                                                                                  SHA1:BDA06DB4121EC85DDF7F2259D92CFB90C0C18734
                                                                                                  SHA-256:AA96A108023C9FE0A430AAE727F8C8D296B72D781A49E14C73BF5FF33EC792D0
                                                                                                  SHA-512:5BBC0A63ACC4D4E3264234D472DD6EE5ABCFB762240B2B868DC344530AA520979C06B02A1BAAF43CD3B293EF3D1F8FDE7341E0413A4A9436473DBE3BF3E4A462
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*t............" ..0.................. ........... .......................@......3.....`.................................i...O.......................P(... ......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........R..l...........X.................................................(!...*^.(!......p...%...}....*:.(!.....}....*:.(!.....}....*:.(!.....}....*:.(!.....}....**.-..(....*..s"...z.~....*...0..........(....,..*..(.....o#......&...*...................0...........(.......($...-..,..*.*.(....,.r...p......%...%...(%...*..(&...*.(....,.r...p......%...%...%...(%...*...('...*.(....,!r...p......%...%...%...%...(%...*....((...*..,&(....,..r...pr...p.(%...()...*..(*...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69712
                                                                                                  Entropy (8bit):6.226077670195515
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:VsDE/e+9cxoZhNyjcMiJSAopUx+ZA7Hx0:GDE2HozNyjcf4o2Am
                                                                                                  MD5:3CE2B431D7D349BABEE6937AD0851309
                                                                                                  SHA1:55FF7B9337EAE6B278756C8FCB8C021E04A1AEFD
                                                                                                  SHA-256:10E29D6B33B40B7D82298E40A19AC06362B1A51BA5C94C3A7359F5462EB22697
                                                                                                  SHA-512:07857ACE3128BFB698EF44524451F6E07596EF48F39F8806428473CABC0C71C2348601519BCC6A58237C919F0E1212021525544C8F8A15CCAAC4912ECEFCDF70
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....p............" ..0.................. ........... .......................@............`.................................S...O....... ...............P(... ......`...T............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........T..............`.................................................(....*..(....*^.(.......\...%...}....*:.(......}....*:.(......}....*:.(......}....*.~....*.0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...( ...*..(!...*.(....,.r...p......%...%...%...( ...*...("...*.(....,!r...p......%...%...%...%...( ...*....(#...*..,&(....,..r...pr...p.( ...($...*..(%...*.*.(....,.r...p......%...%...( ...*...(&.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64080
                                                                                                  Entropy (8bit):6.289710606184699
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:M5PhAi33m3UOZsd4IZnuQDLtfjfC67Hxx:gPhAi33mhZiHlvtbfC6P
                                                                                                  MD5:31CD265714D3C3120210364A14DD572D
                                                                                                  SHA1:C5F8727A6E42429D2CF37B59B8A523844964C623
                                                                                                  SHA-256:8FD8996D02C0A89E548069CF924B4E94250C5B4D11261E6D327657F9717E33B6
                                                                                                  SHA-512:9B238628C89D4F72638DDDEF2FBB1155DA7917A56BBF749B96855822802ABAA4B76FE003721E17560E802A1B3478A49A3DE7C02F6F45B8DA54028203DB97D511
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S............." ..0.................. ........... .......................@............`.....................................O.......................P(... ..........T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......PO..............X.................................................()...*^.()......N...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z.~....*...0..........(....,..*..(.....o+......&...*..............!....0...........(.......(,...-..,..*.*.(....,.r...p......%...%...(-...*..(....*.(....,.r...p......%...%...%...(-...*...(/...*.(....,!r...p......%...%...%...%...(-...*....(0...*..,&(....,..r...pr...p.(-...(1...*..(2...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28240
                                                                                                  Entropy (8bit):6.542681843112789
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:31YBj07ZyQvkBd9aocTPMuiEjYpR6K698kwgcWWxseU7RWsjNyb8E9VF6IYinAMh:l4jUv6iT9jsi8HyeU7L/EpYinAMxClNQ
                                                                                                  MD5:5D53FBFB6C56DAB2AFC15E814956483B
                                                                                                  SHA1:927D7F1B9D0493FAE2C900B73734E5A323ADDED6
                                                                                                  SHA-256:23EE1A91AED2309099858E2E11EC499AD3AD4532E70E0B095DF2CFA118BAA85C
                                                                                                  SHA-512:0B775138E8653240D7DD888F6CBE4EFAA9BD7762887D3C9D64F4FC180F41703D8286DEE63B2D09314E8CB98B319C5FB2C9DD1739CE3F207AFA1AD9C3331F29F6
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Oe..........." ..0..<...........Z... ...`....... ....................................`.................................1Z..O....`..L............F..P(..........$Y..T............................................ ............... ..H............text....:... ...<.................. ..`.rsrc...L....`.......>..............@..@.reloc...............D..............@..B................eZ......H........&..d...........\U..H....X........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59472
                                                                                                  Entropy (8bit):6.334054400696551
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:t7WAluzJ+Je2PS7kJFT+OUjz+Tf26auuPF1/krd6zkwQRIOIzb7EFEpYinAMxC6z:xJ4V26g1YuuP/2IOe/7Hxp
                                                                                                  MD5:5C0ECE8A6364AD65C5D01B762D721F40
                                                                                                  SHA1:2CEF9284C94A608269D581A4588E81E485378F3E
                                                                                                  SHA-256:A5B60A7BAAA84EA94FEF8704737B6845823A2C1DA0B9F95240CFC61C341FA2FB
                                                                                                  SHA-512:E327BF974B9E909C147E67643A7A972F11C2BC3466B622A2286C3E9C0AF003E333A392090314D850DFFB60CE35B05441C8373D9EADEAB4EFFADC9032F2B98566
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C............." ..0.............:.... ........... ....................... ......#X....`.....................................O.......L...............P(..............T............................................ ............... ..H............text...@.... ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........H..t...........l.......d.........................................()...*^.()......a...%...}....*:.().....}....*:.().....}....*:.().....}....*:.().....}....**.-..(....*..s*...z..0..l.........~..........(+...*(,........,.r...p(-.......+.r...p(-.....,..ry..p(....-..r}..p.o/...+..+....(0...........*.0..%.........~.......3.(....-..+..%............*F................*..0..<.......r...p..(1...,..*r...p(-.....,..ry..p(....-..r}..p.o/...*.*.*.~....*..0..........(....,..*..(....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21072
                                                                                                  Entropy (8bit):6.659500044238884
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:UzhlvlfTcbY3SCkWJOVMWs4Nyb8E9VF6IYinAM+oC2aJ8f09:KrfTcbY+uwEpYinAMxCTY2
                                                                                                  MD5:DE75610B9B79DB4EE9FF93D756E16D4D
                                                                                                  SHA1:2B3BBC1AF7191893FC42A450280ECAD9A5C68FE4
                                                                                                  SHA-256:4C036AF950DA497F34F9E325F84A5502DE8AB373559FEE971DACA0AA6C791248
                                                                                                  SHA-512:B9CBE72BCA53564FF77C8B02598190966290DF010902114CB7FF91E6831F87B8833984AA2F2E42F9870A28919A32C9C4B4A7A14901E36272F4EA1029C9C06A65
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$.}..........." ..0..............=... ...@....... ..............................[U....`.................................-=..O....@..(............*..P(...`......0<..T............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@....... ..............@..@.reloc.......`.......(..............@..B................a=......H.......H"..h....................;........................................(....*^.(.......)...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*J.o....(...+(.....*..(....*.~....*.*.(....*.s.........*.~....*..(....*.*.s.........*:.(......}....*.(....*F(....,........*.*...0............(....-.*..r...p(.........o .....(!...,.*....("......(...+..r...p($

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26192
                                                                                                  Entropy (8bit):6.6410774484512896
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:T3WWQsE/8iqjnqHTnBdOHFgYVwOU3NW2qFWs/GNyb8E9VF6IYinAM+oCUo0eD05:T3hQsE/8irTnfYFr//OEpYinAMxC1ny
                                                                                                  MD5:F07B5825DE2EFB3133BBF61FA2A4CB76
                                                                                                  SHA1:B6CC2BE8845C0774E932B2DB1FBCAF788BFBEA9C
                                                                                                  SHA-256:A4EEE595F17C9F26EB0DC6694580DD5873938DEF495C524EFFB0D82BC3F4262B
                                                                                                  SHA-512:F24E824FE41280C9BC170D9DD1016EFC236650E7762EB115DE02B9593BDBD1649FDE1FCF9B7D387C533AA6BF9651B5AF701ABDD10D2D4B1BB072EBAB1B594DF4
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Su..........." ..0..4...........S... ...`....... ...................................`..................................S..O....`..`............>..P(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc...`....`.......6..............@..@.reloc...............<..............@..B.................S......H........'..T*.................. R........................................(....*^.(.......5...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*v.r...p(.....o....(...+(.....*..r...p(.....r...p(.....o.....s'...(...+(.....*..r#..p(.....(....&.o.....(...+&.*..("...*.~....*.*.(....*.s.........*.~....*..("...*.*.s.........*...0..x........("....r7..p(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35408
                                                                                                  Entropy (8bit):6.577511960397023
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6oi0m9/A58Ph+mJ5fvIK0ixTryfCWo/zKeGmquanccOB30RtWW3aUWspNyb8E9V3:KDhbJ5nR02TQCWoJ92tEpYinAMxCtm
                                                                                                  MD5:6628C561065DF3B10639846B7F7DC3C3
                                                                                                  SHA1:ACBE77E78C99E86866870874A2311DCF4902BAA5
                                                                                                  SHA-256:9996C340E4E83C44110028CB28F20E9B24EB126742409FA718F90EA2A16379B2
                                                                                                  SHA-512:DB9BC520D226A1E702DAFB2F2F6E0064984854844AE214F52BAB27E9A8B39F9A5AAFF9BE87BE79FA4C5E4B9D134098AE0B72C424D09E057D1B02A75E79C9F810
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0..X..........nw... ........... ....................................`..................................w..O....................b..P(...........v..T............................................ ............... ..H............text...tW... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B................Mw......H.......X0..8E...................u........................................("...*^.("......J...%...}....*:.(".....}....*:.(".....}....*:.(".....}....*:.(".....}....**.-..(....*..s#...z:.(".....}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.($.....}....*....0..+........{....oG......+......o%....o&.....X....i2.*:.($.....}....*2.{....oB...*..{....*..0..M........r...p(.....o'...~"...(...+.o'...(...+(*....o'...(...+(*....o'...(...+(*....*..($...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):48208
                                                                                                  Entropy (8bit):6.412254540457386
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:q7d427HfKy1DQ+SKKKKzqPo6Zkn2qZKqLzZdd0UFxlEpYinAMxCp7VCb:q7d42LfKy3SKKKKr8keqBdd0UFE7Hx0a
                                                                                                  MD5:02D75B740B732B9D45BE1C9DEEE82D52
                                                                                                  SHA1:145DE3697B7BCCF7F39EF5C1B813F9A213664017
                                                                                                  SHA-256:D56BEB31BC6BCF54AE02721D3CE2B6F42D7783483B67DB2B11E5C56E8A29EC38
                                                                                                  SHA-512:0E6041D18D62FFBBE4B9906931322F5B3856C462A330922C6264CE99E983811CF139AA52A9C10618AE8035B85B929CBAA3F0DF6FF12D29B9E269E9945C1EB232
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....H..........." ..0.............Z.... ........... ....................................`.....................................O.......(...............P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B................9.......H.......\?...d...........................................................('...*^.('......W...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24144
                                                                                                  Entropy (8bit):6.63064410442664
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:by1x30dJaeTP8pBT7xe3SUDtzWzK0WswNyb8E9VF6IYinAM+oC61mx4iw:bq/eTeABdWIEpYinAMxCa24x
                                                                                                  MD5:D73F1C9FDCAA14AA98AD1D62EB4F61E8
                                                                                                  SHA1:25180ED081DBAB955DB2E321A42820313FCAC737
                                                                                                  SHA-256:5AB6AF65EAAA7BD38B13C2E0A184D241530FD113B6DB218AD6D138A1DCA327E2
                                                                                                  SHA-512:35E80F9F724BE46786ABDCC77BA6C4E1065A41F4213ED1B8D25B37C6CF61B7706A5F9AA87A1C5A74C96BC3D2454968541C424D6D1D4B15A64867191A190CFFB4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D3..........." ..0..,..........FK... ...`....... ..............................I(....`..................................J..O....`...............6..P(...........I..T............................................ ............... ..H............text...L+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................%K......H.......0$.. %..................PI........................................(....*^.(.......*...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......}....*..{....*..{....*"..}....*...~....%-.&~..........s....%.....(...+*..r...p(.....o.....o......(...+&.*.0..P.......s ......}!.....}"....r...p(.....{!...r...p(........#...s$...o...+&.o....(...+&.*

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):61520
                                                                                                  Entropy (8bit):6.349315131405323
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:1g+uGuV+1mb5JtoNIHQs1YyH67beAn9eLfLaV7CvS4vEpYinAMxCkMq:1g+uGuV+1mbaqvy9OfLKMS4I7Hx8q
                                                                                                  MD5:64A1C30750E208D114638514140D2FD8
                                                                                                  SHA1:98F1BFAE55DE97059C7BC6A53FC6F8254C6A9EB7
                                                                                                  SHA-256:E329AF9E6DA9753A31B9908BD6F4655C646C20C088589AF9477515D37F73190B
                                                                                                  SHA-512:450FEF2F9C1712CAF22502C9906582EC6DB6D8F6675CFDC78D96BAFF5154675CF52B4A278306FCAD4A231C7E266B8F7690A6FBE23A8DD9455AE0B8FCEDC5505B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....%..........." ..0.................. ........... ....................... ............`.....................................O.......H...............P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........F.....................0.........................................('...*^.('......G...%...}....*:.('.....}....*:.('.....}....*:.('.....}....*:.('.....}....**.-..(....*..s(...z.~....*...0..........(....,..*..(.....o)......&...*...................0...........(.......(*...-..,..*.*.(....,.r...p......%...%...(+...*..(,...*.(....,.r...p......%...%...%...(+...*...(-...*.(....,!r...p......%...%...%...%...(+...*....(....*..,&(....,..r...pr...p.(+...(/...*..(0...*.*.(....,.r..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):42576
                                                                                                  Entropy (8bit):6.373492302570736
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:TKsIwjxNp8hpwVeEfHuX1QUIh3kOP7oIyWb3jec/uiCR9Crw/EpYinAMxC2xD:bd8hMfHuXbIkOP7ym3jZ/uiCRgrd7HxF
                                                                                                  MD5:25CEB30BC69DC05B69F45F672AC1C1A4
                                                                                                  SHA1:63A1CC9B52CD8995EA1C17794D2F75E6F5E0B6E9
                                                                                                  SHA-256:EA390CC64028A77BA72653504499E9C0B131770DABD23D9E4AC099677B35315F
                                                                                                  SHA-512:0D6780C9B883D555BBDC25E08FAE14EBA3583484B1BBD366188CD9350EECD81B4A3433054872F81EC6B361EA794BC2A217F1A92D4ADE9A83182F7F2B4B9DEF9A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.:..........." ..0..r............... ........... ....................................`................................./...O.......l............~..P(..........8...T............................................ ............... ..H............text....q... ...r.................. ..`.rsrc...l............t..............@..@.reloc...............|..............@..B................c.......H........:...O............................................................(-...*^.(-......G...%...}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*:.(-.....}....*.~....*..0..........(....,..*..(.....o.......&...*...................0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0...*....(3...*..,&(....,..r...pr...p.(0...(4...*..(5...*.*.(....,.r...p......%...%...(0..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):345168
                                                                                                  Entropy (8bit):6.142154867122924
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:1pc1zjTFIfqAnI7FZVllnuJxKrSj8r2yQQLeBLPHGUdlWOAlMoBJR1TaKwQz8weI:MpTCqAn+fnw5h9hdls+IZTWcd
                                                                                                  MD5:E20A8D1854150A56856901090B816B6C
                                                                                                  SHA1:1F2C25FD9435D137ECEB81B2A74FEE6CBCEAD01A
                                                                                                  SHA-256:6D3F41537D09414352E42874430E3D44A8508F6FE843E52F124DBC279E76ECDD
                                                                                                  SHA-512:747A5B2C315E26558F99436B463DD766AD0E99F527A7836055CF5898FD7BE649ED8AC5613148D80F39AF068C2F556463CAE9A242939948F110A8A517E705B3A7
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............." ..0..............0... ...@....... ....................................`.................................S0..O....@..................P(...`......D/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H...........xZ..........|...H.............................................{....*..{....*V.(......}......}....*...0..A........u2.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q5....5...-.&.+...5...o.....%..{.......%q6....6...-.&.+...6...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u7.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710736
                                                                                                  Entropy (8bit):5.954282787995899
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:/FIM0KteTMN4Or4D3OdmZg5WHEaEDIGBBjgrIQtD+tVqDMQ:9zMTMNNd+g5Wk78GBBjgrIQtDX
                                                                                                  MD5:35FF6C65698485C13B0796ACA1E1E860
                                                                                                  SHA1:64C4DBCBFB0C81F34E3E8C5552A9B6626C740F50
                                                                                                  SHA-256:683039C3676D8437E99C0A98FB8D4C4D2D47258DAECD897F1532640B2FA82407
                                                                                                  SHA-512:E21CFF5489A6D141CE72D4639F5BCB23F18155EBD64347BD179146D53D4E99285D39E3A1B9483C697D73925B76E56E2AEAE5F63D3BB5C8E9C5B65BCC826F78BB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.............>.... ........... ....................... ............`.....................................O.......................P(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H............9............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*.(.........*....}.....(......{.....X.....}....*....0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+&.{|..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285776
                                                                                                  Entropy (8bit):6.198879246365342
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:QMiAQB4wmESyxV8pj06e4isQ8gsHsjb/W1DBZ7DhsNcyZ:QMZpj06vUsMjbQ77D+B
                                                                                                  MD5:40F70FD9AA352F6954C048396533A13F
                                                                                                  SHA1:B5CACB14C795B8F03CA62A2FABA9032FAA5C5A62
                                                                                                  SHA-256:135C5B3FC4A3307FB373D466D8E0993F5899AD725AA3A04433D4CB22E205A1D0
                                                                                                  SHA-512:6AD391AD6603C4CA8A168B31968FD9DCC467D23E38A93FD616F5DF38F00A0B4152E6AA9166C37D63D96C32FEAE01DC15709F7E7F2BE37CEE3CA18F063B69EE02
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..*...........H... ...`....... ...............................T....`..................................H..O....`..L............4..P(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Xd......................TG......................................^.{....,.(G...z..}.....*^.{....,.(G...z..}.....*"..(L...*"..(M...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):38992
                                                                                                  Entropy (8bit):6.2961633461406645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:vdfuvOXFXW/8O6bXD+eeIgLPRsnHnyhQupytM9z7O3zfXYvj8rbPH5nTLhCPsIlc:vxuJRRsnHnyhQupytM9z7O3zfXYvj8rb
                                                                                                  MD5:318DB17FA7B98E18B6C3A6A139341D51
                                                                                                  SHA1:CF98D3D9E98D198D8E30D221EF9ADA5441A88B5E
                                                                                                  SHA-256:4D3114B2CF333C56CFAB3CD9CA3C0C16571D337B7E5EBFE72BCDA5C6BCE49E6A
                                                                                                  SHA-512:8CD7EE526136FDD48AA900193F2A3A9B0B371569D5ECD21ADF1E57A88DF275579C2C42FEC9B48549C505A605FED016696377FB5B80261EBF36706F818F9C0232
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..f..........Z.... ........... ....................................`.....................................O....................p..P(.............T............................................ ............... ..H............text...`e... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B................;.......H.......tF...=..................t.......................................2.o....s9...*6..s4...o....*..0..>.......sg......}......}......}.....-.r...ps....z....h...s....o....&.*...0..C.......sk......}.....-.r...ps....z.{....-.r...ps....z....l...s......(....*..0..{.......sm......}......}!.....}"....-.r...ps....z.{!...-.r...ps....z.(....u....} .....{ ...,..{"......+..}........n...s....o....&.*..0..U.......st......}(....-.r1..ps....z....u...s....(...+&.~....%-.&~......f...s....%...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27728
                                                                                                  Entropy (8bit):6.552984475987511
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:iSgpZUlMxR5I1z8w3Uta2lQBVMxzMJktYm+9HWXCYBNyb8E9VF6IYinAM+oCKtKL:iSCZUl2O1zCnXyzD6EpYinAMxCk/kp
                                                                                                  MD5:DB2C92A173A2A0373A1F8190E95FA17F
                                                                                                  SHA1:FE61CB7B6B8E90E438F17A58775F3A70235744CA
                                                                                                  SHA-256:DD3547F40D823D6B0462C9C11CFAEDF306E01782BF28AEA9B0C31DF6812D7E81
                                                                                                  SHA-512:66BE8021026769C4509577F77650DD4D20C50EBDC6111342AB91A0C590118E5288B5524E6AF104B1505602231B3B14830E318563FA83F1F1D13C9F06CDEAE86D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....m..........." ..0..:..........vX... ...`....... ..............................e&....`................................."X..O....`..h............D..P(...........W..T............................................ ............... ..H............text...|8... ...:.................. ..`.rsrc...h....`.......<..............@..@.reloc...............B..............@..B................VX......H.......H...H(...................V........................................(....*..(....*..-.r...ps....z.-.r...ps....z..s......o....*v.-.r1..ps....z...s....o.....*...0..V.......s.......}.....-.rA..ps....z.,..o......./...s....(...+&+...{.....s....(....&...(...+&.*...0...........-.rQ..ps....z.o.... ....1..{.....o....*.{.....o....t......,..*.{.....o......{..........(.....{....o.... ....3..{....o ....{......o!......,..(".....*.........U.4.........s#...}.....s$...}.....s%...}.....(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41552
                                                                                                  Entropy (8bit):6.321380010408937
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:MUqoXsEgfFHoiikZ9y3BHdD+XR/tGo06BWEpYinAMxCD:jLrgfPw3mXREaX7Hxc
                                                                                                  MD5:680AFEE0D0AE8CBE3C14E8B2E98331A0
                                                                                                  SHA1:A4536CA35F55179DCFAF8507D8BED284F8A87285
                                                                                                  SHA-256:9BECD7633640CCA28369CE850BE2F2EB7F3D41B32289D7E4D99FD53E014844F5
                                                                                                  SHA-512:586B4D5AB7274E0BBD26CA7B6A08A39D83CCA6B134523342094F0159E42873AF987908DAF52B7947402288E7C399C78EB63658C3591C708A24B7270936B16F5C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z..........." ..0..p............... ........... ..............................5|....`....................................O....................z..P(.............T............................................ ............... ..H............text...$n... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B........................H........<...O..................X.........................................(....*^.(.......D...%...}....*:.(......}....*:.(......}....*...0..,.............................................(....*.0..*...........................................(....*...0..(.........................................(....*.0..&.......................................(....*...0..S........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s ..............................(....*..0..V........-.r...ps....z.-.rM.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138320
                                                                                                  Entropy (8bit):6.160416546932122
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:cobKO7RaoWuUeZk/f0Sh1HlWZm1ZZTdyGFkNUMT+P65jDtYQn:JbKKz1UeZk/Phv8lDuPaf
                                                                                                  MD5:347415351ACC3FA1BB4B12FE70D8DB3E
                                                                                                  SHA1:CD659D48CA294880D2A950521869E3629B680873
                                                                                                  SHA-256:72A60990CB728C500FEDB1A6BC89D8EDF4661C89FBE3B899A7D8B2674C59CA1C
                                                                                                  SHA-512:CB8EE748F5604EB81299B48B8C0225B1C9FB557472112CB576304E6A52BDF4343BF28F1169E4B60C60357D26910004012D136997C165E226E1B5FECDC397F878
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........." ..0.............6.... ... ....... .......................`......j.....`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......h...0O............................................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. ... )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0..b........r...p......%..{)......%q.........-.&.+.......o2....%..{*......%q.........-.&.+.......o2....(3...*..{4...*..{5...*V.(+.....}4.....}5...*.0..;........u......,/(,....{4....{4...o-...,.(.....{5....{5...o/...*.*. .T.2 )UU.Z(,....{4...o0

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):150096
                                                                                                  Entropy (8bit):6.238069789487319
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:c0B07tjJYVNSCn+tn3nUMI000000I+49U2BL1krvm:v07iSqSnkMDjyC
                                                                                                  MD5:06740FA9E73A184DCEF81A0F9964BC0B
                                                                                                  SHA1:E0D18EFACEE6AA0431EFBA2ABD4F0BB34E47BB41
                                                                                                  SHA-256:91A4499366A332F2EA2EAAF8CCB1B67582553E8ADF067DE6D3FDC4D8B4389071
                                                                                                  SHA-512:B021F4ACDF88EB321981278F8F38D385D200227C975C3A289B2D1BB2D948C5336B78196119B07CCE8C6312926F9F1DE07CB5D0A8D4ADF979C664C8B8A25CB805
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#9..........."!..0..............4... ........@.. ...................................`..................................4..W....@..............."..P(...`.......3..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................4......H...........lV............................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*..0..&.........+....(....G...Z.(......X....(....2.*...0..L.........(..........(.....Z.(......(.....s....~....%-.&~..........s....%.....(...+*...0Y..5...0Y*..aY.5...aY..X* ....*V..0Y..6...aY......*.*.s.........*..(....*....0..&...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52816
                                                                                                  Entropy (8bit):6.18197692498772
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:NtgEqel7clEfRWOuDXaVIWb0TadZjirgFDrGfmAXOaYbMlfEpYinAMxCr:NiprEfsOuD0hhji6DrLbAY7Hxk
                                                                                                  MD5:161E234AD2B220206DB6341B670DBD06
                                                                                                  SHA1:B5EAA6BE5BE77227139F2298312A406EC959ADBD
                                                                                                  SHA-256:DF6ABCE21AEDCF0106303877C88F0039C52BB5C5B98B537D9C079874965E9875
                                                                                                  SHA-512:4999FC5AE69EF904460794C33D9E5642ED2E47A4104C6DC3CF958DC524159F59D3335547BCA5EFB182D87773124BC6E35C524B2488CE0EEBA351BE5FAF3DC5C4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L..........." ..0.............Z.... ........... ...............................s....`.....................................O.......................P(..............T............................................ ............... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................;.......H.......<5..,m..........h...0.............................................()...*:.().....}....*.~....*...0..........(....,..*..(.....o*......&...*...................0...........(.......(+...-..,..*.*.(....,.r...p......%...%...(,...*..(-...*.(....,.r...p......%...%...%...(,...*...(....*.(....,!r...p......%...%...%...%...(,...*....(/...*..,&(....,..r...pr...p.(,...(0...*..(1...*.*.(....,.r...p......%...%...(,...*...(2...*.(....,.r...p......%...%...%...(,...*....(3...*.(....,"r.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34896
                                                                                                  Entropy (8bit):6.290935546349103
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:K3wGplLcGsTK/lWNVz7MW+N92D1NlteVXEpYinAMxCwU:K3wMZ1lWL7MW+N0peVQ7HxRU
                                                                                                  MD5:7D9DF905042D334B4A966BD1AA8FB08B
                                                                                                  SHA1:3ECC8AD781DB2F3A01C09993BE7D31A878AF4105
                                                                                                  SHA-256:7C6F7FF7350CDAD1F7025CB1B0FFADBCA99F801C7D0B9C2F11F5A9AE2F2E53A7
                                                                                                  SHA-512:BF17D7A918469726B0325AE2BB35C00D1D5BF3BDA73FDF0397A432F271630A4CCEC2B4A30A677697F1E34AAE81D8FB37A076581C8B78C35B28141AE5ABFEE53D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............" ..0..T..........6r... ........... ..............................V.....`..................................q..O....... ............`..P(...........p..T............................................ ............... ..H............text...<R... ...T.................. ..`.rsrc... ............V..............@..@.reloc...............^..............@..B.................r......H........(..h6..........$_..8...\p........................................(....*^.(.......7...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...%...("..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):71248
                                                                                                  Entropy (8bit):6.13173802618335
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:pQuedlunqpC9yYxC9P7tt08eeykGlsESo3+7Hxr:g3KICHxC9ZJexRsG3+x
                                                                                                  MD5:F85B82A5B08CCAA5359DF86C5A7EAF68
                                                                                                  SHA1:6CA8520D247CF38F1D885B987B77892CC94397F6
                                                                                                  SHA-256:EF4402FA640506310B85D639DFB2848DBA25DC9AFA331088F8EFB7F0877EE8C8
                                                                                                  SHA-512:ADAD4A9E3BC20726986FBA733EA1C2A3490E1C15A92E339A4E0F187EBF0BABFB598F02CEFBB9F54A50343150E365F0D47B31A06054864D8C48ECD5F58445E31A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....n..........."!..0.................. ........@.. .......................`...........`.....................................O.... ..................P(...@..........T............................................ ............... ..H............text...$.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H............w...........d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):543312
                                                                                                  Entropy (8bit):5.987161302939433
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:a6+HbUMHVgQO61+5ZpvsQ60OghEusa4UQgce0x7KjF76pkLzLFEnJEIfibgPKiU5:a6aRgsgfEU4UDcxkLzJEBsgPKiUYFHsv
                                                                                                  MD5:76B3958BBDDF8E1A58B08581EB4B5CC2
                                                                                                  SHA1:B51FFBD175BF70D20C4184FEF53764966DAB2393
                                                                                                  SHA-256:0C13A1B28BAFB47ADB5D8B9E86923116258CB4E4CCB3C84310B360D4D004C145
                                                                                                  SHA-512:7B43FA7B09C19B01E96B94028EF9EBE4CF44339437A517011702239BA247189F0D3EE8449E6913F82A41E86BA7E80CDFC9ADA9E7DE5423A38F0DBC434725588E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B............."!..0..............3... ........@.. ..............................%.....`.................................h3..S....@..............."..P(...`.......2..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H...........s...........C...w..H.........................................(....*^.(...........%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.0..&........(.......(..../.(........(....G* ....*...0..@.......(.....3'..0Yn.!.~...~...i.?_b...@jY..._.j2..*.*.(.... .........*B..... ....s....*.~....*.0..........(....,..*..(.....o.......&...*...................(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.560006548424685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:AiWWNv/jzSENtqcadVl8PandjJUf7ZJSqSi/ufPU1S5rxg0XWr:v1Nvb5adVl8P2djJMZJSGu3z5rxg0XWr
                                                                                                  MD5:63E9B310597AC25A1CEAA55B6F0CC9F3
                                                                                                  SHA1:0C5B170ABA511F479E593727CF7F562523EA7E8C
                                                                                                  SHA-256:96B51BB87A1F4072D10B774FFADF81AF93881900571D21FE638E10E3FB0220B8
                                                                                                  SHA-512:3BAF3836F8F42DF2D3444409115A3564B0961CD3141CC46E248E6E29A59EC773E511477D8DED4BE05125F2F45E987FD6F94AC5676C318A728B7CA63EB78E9056
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ..............................;.....@..................................9..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................9......H........4............... ......P ........................................H.W..Q.2.<.L......H.*...W.!".5....8...}P1......#....Z.N..d.....o...P.....@G...g.g..7.w.!V_..4..7.=.G.".8%..q..G....a...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10240
                                                                                                  Entropy (8bit):4.43329064965383
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ycWWNv/jzSEStoC1vxx6hUltfxx+BE00cUnAPq115rxg0XWr:yc1NvbGVxx6hUltfxgE00cLq5rxg0XWr
                                                                                                  MD5:94136496103CA7B4425EB6D639EEC501
                                                                                                  SHA1:AC8F3F4E7C04D4BEEFBA94004A114880662C8387
                                                                                                  SHA-256:A3A44472A3944FF0D5C31241BF6DD9B6AE04EAE03581D338B53E3E41EED7141D
                                                                                                  SHA-512:04F4614C5BCF97EC643079D50FFA800B2F89A503E02D7DA6FF97AA463993A6964833068063C5A144C7E7D44BEAF082B43EA672F66B4E831EC2CE828666C4965B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................n:... ...@....... ...............................x....@................................. :..K....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................P:......H.......,5............... ..\...P ........................................^M...=..A'R..\N.....U.{..-.Y+........E.?.......3.....#..9.v..2q..?..L..>s.SI.....}...M..Q.=.w....(<.I...,....>^..E..J..X..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10240
                                                                                                  Entropy (8bit):4.581775279455886
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:R/WWNv/jzSEYtPpmKJiDjgmlRFI0HYZDKz/VPH1g5rxg0XWr:R/1NvbdKJiDjgmlRi0HYZDMa5rxg0XWr
                                                                                                  MD5:8C7822BE67F1576F2E11817826ABE40E
                                                                                                  SHA1:9B9EDD5FEE4415CB7FB09F0940BEAAFF1C107EB7
                                                                                                  SHA-256:C9A7CFE32AB4567D671A84397ABDA29CC92B21CB412CE0F0DF12352C68B7460F
                                                                                                  SHA-512:70F76DFFB3FE25F1D3550BEC3C168805AB422C6A0505DDDD21EB2A5B59F24D5F37AEDE0DBEBCF16F821868789E17A87AE61442BE6525ECA0461C0146E4E6B850
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................^;... ...@....... ....................................@..................................;..W....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B................@;......H........6............... ..?...P ......................................S...8cY)..6. .X.YE...W.....*.......r.~@.]\.D.3.....4I...P.u.....Y2Y.n....)@.xV.#g..V.tI.&.gy8....)U..@k..n...FF..w..6.) R.;..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10240
                                                                                                  Entropy (8bit):4.368843686720491
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IiWWNv/jzSE5tyT1TNgr1nJIhZAf/07mPk1q5rxg0XWr:31NvbGTNgr1nJI3+07M75rxg0XWr
                                                                                                  MD5:79C01911FD90F929CCBD1D4964D2C17A
                                                                                                  SHA1:1878855F9C350B245C3258204A754770CAD776A3
                                                                                                  SHA-256:E8F0F7F9E9F2D836AAA341A39D3B395B397BAC0B88F6DDED3F159A6C8D2D74A1
                                                                                                  SHA-512:0C820224F516FE888621C09E3ED1870AC4B702AB97B1CE3CE4463445FC96F9D8798C97B6AE6ECFF1175D8D8EE8657052AF0E42D03B55340635CF9F5E65A9D6FA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................9... ...@....... ....................................@..................................9..W....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................9......H........4............... ......P ........................................^V..d.~.R.t..i....v=.pIE\..#.}-{.u4....fIk.9.A..G....P_.S.u...w...J.AY....,.v.. ...A..."./..%.z+...".e..:.d....t.G...o................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10240
                                                                                                  Entropy (8bit):4.593201257102684
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:9SWWNv/jzSEYtq2dE1cxy8ON0Qsk96sPE1V5rxg0XWr:9S1NvbaG1cxy8ONHskd85rxg0XWr
                                                                                                  MD5:437252DA54AB3171BC7DE366E5494AD8
                                                                                                  SHA1:A4FCFD9240B28C836240D4CAA4C9EC8DE38F6E9F
                                                                                                  SHA-256:9BFB9826E286B55AA5A580A5C220114063871B1EA8C541DF783A73EF8E72806B
                                                                                                  SHA-512:8D56A2EF0DE3B3BF16FE4D931EE6D6A8119E4CD7B3FFA52AC3EF65CEA2A2F4C4E99ED536757546A54CD5A2318A1BA4E70E6425367402CFD06345FEA6EE8442C0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................;... ...@....... ..............................._....@..................................:..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......&..............@..B.................:......H........5............... ......P .......................................4....4...L.."...J...%-..............Drc....4.....n.3Cw .r$y.4......%..5[YupFe....R..!`..#h.I..-3..kH..:~ya..P9....PD.}...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.84740063117937
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:AHwWWNv/jzSEfthb7O9JKggIOrCPPzm394in3fwB/CZPlN1O5rxg0XWr:AQ1NvbH7O9JKgglrCPChnYVC5E5rxg06
                                                                                                  MD5:44CC811E193FB220954A0E56AF6F7682
                                                                                                  SHA1:B1437F518F3D8E8DEAD506D7E352B69593486244
                                                                                                  SHA-256:8CDCF449550DF3F9CACD3A8A41D19D6144BB0FED630825D6118D4077F637BC35
                                                                                                  SHA-512:E3FE956494F6179D6A725ECA38FE0E0739A14300DE035093212B0169BED45374E3792EBF7DF916996923777CCB9842C04D9B954D30094D51CE81A892D8F49385
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!................~=... ...@....... ....................................@.................................,=..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......(..............@..B................`=......H.......88............... ..e...P .......................................s....E..s....D6..|G....Kc....,..M......8..................}..\.bf..qe.T....w RF..B..y5fW=...N&GE(..[...._.H.....Y.c...ta..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):71312
                                                                                                  Entropy (8bit):6.106692533939604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:mxuAEP6SHdOP71+KXUk/lsQDzZfOmLeSo0df9Xzlu:eEP6SHdOItSlXfNeSdf9Xxu
                                                                                                  MD5:0631D48880E7DDDDE2733C133BA486BB
                                                                                                  SHA1:08BDC5C585123FA5F3B4D670DC92CBAA7620725A
                                                                                                  SHA-256:AAD8B9A018FC4C4601EDC7C9169370EEE26628C4D90F967C947BA9A81EC4B224
                                                                                                  SHA-512:3AD9C20EF888DBD78AD99673E2242ED45006F204FE704076C7791A681849E4A5DDFA9E38862F26DB8203262536E92F1757FDB6982A9FDE1625C3825D89F08A41
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T............"!..0.................. ........@.. .......................`......B.....`.................................x...S.... ...................(...@......x...T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......,...Lx..........$d................................................(....*^.(...........%...}....*:.(......}....*:.(......}....*^.(...........%...}....*:.(......}....*....0..E........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(......R...(......d.R*....0..K........ ...._.b..._X ....Y..e pp.._.d.X ....X.`.....X(..... ...._.S...(......d.S*f..._....0X....91...X....*.~....*.0..........(....,..*..(.....o.......&...*..................~~....%-.&.....(....s....%.....*.r...p(.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):801048
                                                                                                  Entropy (8bit):1.7800450887072108
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:8qirVlWQX3WT56Os1HnhWgN7acWf53p13s5yX01k9z3Agrf8mNVf0nj:8BriQ+5kHRN76HcYR9zPrf8mrf0nj
                                                                                                  MD5:7A44C33341844DBE9C6FA526AF88E80A
                                                                                                  SHA1:0ACABD100F61A2F8B3C5E68A270599AD54EB8A39
                                                                                                  SHA-256:68F73AB17FB7F4AFF3D35EF6DB0E9D5B0FA0151111CB3D03992E23BC29D6C40A
                                                                                                  SHA-512:B81D63B345C193C6DEF17372311447D305AE167B2C4D1C2FDB0344D1E1EF5FF4F9D52599FFD862B2480825B308178737DF7E5E48C31E712339F009E92B6EAF57
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...|'............" ..0.............&)... ...@....... ....................................`..................................(..O....@..l................)...`.......'..T............................................ ............... ..H............text...,.... ...................... ..`.rsrc...l....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................H'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......`...#Blob......................3..............................................-.....-...0.....M.................R.................h.....7...........[.....x...........D...................................).....1.....9.....I... .Q.....Y.....a.....i.....q.....y...............................#.....#.....+.....3.X...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):159904
                                                                                                  Entropy (8bit):6.097873216527841
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:eXCCOOz54xuTlmyRmIazZ11Ip5ZUWISFogVJoQyaH5MbDiz:Wz5dQ/cpJISF5c8abC
                                                                                                  MD5:950CD24EA3A9EFE5CCE594A8B228AFDA
                                                                                                  SHA1:4609AC99EBD157E4C9BF7E276EEA961C4BB3AA4F
                                                                                                  SHA-256:2AF781190AB7C97D6B846D5027745D609AD227665695E8ECB3AFD4CC9FCE6537
                                                                                                  SHA-512:2E8D0DE29E62732458472B8FA5AC35C48416E6AA5034BE309F688A095E6222A215EA3318FA02358707FBB98918983F2AB8996AC6703585485533ED4975AB7E3F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,............" ..0..>...........]... ...`....... ..............................T.....`..................................]..O....`...............H...(...........\..T............................................ ............... ..H............text....=... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................]......H............}...........D..0....\........................................(-...*..(-...*:.(-.....}....*..j ....n_ ....n3..*. ...._ ....`*....0..w...........o.......o.................o.....o/.......o.....o/.....(0.........().....(1..............,..o2.....,..o2.....(3....*.........?Z.......0..K...........o.............o.....o/.....(0....(*....(1.............,..o2.....(3....*.........)8.......0...........(+..........*...0..g.........(...+....o.............o.....o/..............(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):86816
                                                                                                  Entropy (8bit):6.013720216920584
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:rqz3g47M9YIB/nRPP6eyO0MIq6y7suFvTbqtN0p7pqHUzH:rq3M5ftPzTLIq6y7sgytNK7p0Uz
                                                                                                  MD5:AAB8F9887FA45F30FE04472352E5AFEA
                                                                                                  SHA1:8244D05575D13E605B22538D7AE66D4805BC45C0
                                                                                                  SHA-256:7DFACED56145F3C6B80DE25A09E0DF6729149EF3C6A8F8F1B559E93B914FD2DE
                                                                                                  SHA-512:97BA85978B48324908427833374CB3C19DE01F136D29A3ADCAC350A0555B30087513CD33BB7B18F0CB52CB3E8884E0ACD1BD256704A8B96EA0C4CA8A0F8135CE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............<... ...@....... ....................................`................................./<..O....@.. ............*.. )...`...... ;..T............................................ ............... ..H............text........ ...................... ..`.rsrc... ....@....... ..............@..@.reloc.......`.......(..............@..B................c<......H.......hP..............h)..8....:........................................(&...*^.(&......K...%...}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*:.(&.....}....*6.~'....((...*R.~'....((.....()...*..(*...~'...(+...-..(*....s,...(+...*.*2.{-...(....*.~q...*...0..........(....,..*..(.....o.......&...*..............$....0...........(.......(/...-..,..*.*.(....,.r...p......%...%...(0...*..(1...*.(....,.r...p......%...%...%...(0...*...(2...*.(....,!r...p......%...%...%...%...(0.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.709151479489131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:0uWWNv/jzSEhtiBbSEmfO2mdqeCtzEc6yCPVo1L5rxg0XWr:J1NvbcbSEm22mdqet+ws5rxg0XWr
                                                                                                  MD5:90289DA899746E328816734D723C93A0
                                                                                                  SHA1:6AF8E30872729E89FE0A7C01D99DACF4AE6726CF
                                                                                                  SHA-256:2B3853CEBEA222ABB31C2B1E3D6CD19A2F6621ABB56954162751A2B592680676
                                                                                                  SHA-512:ABB6FE5216B412CD85E139D69657A40BEEBA00F2DD0DF1795AAD8CF27C13D9CE0EB2DCF3904CA445678D689CE56FA2C169ED7B40490181EA6B770B1A634A6D4B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ..............................................~.Xi.....05.]..sE04.hg.'...../.K'l..a..m..Z....q..m..4&....h....le..|.Z...../.....!*............<.XV$!./..})................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7267524338984295
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:T2WWNv/jzSEhtimYtEq40uI7Sr2fqmxkNeo7R7L7c7xM757odHK9nPo21f5rxg06:a1NvbOtEq40uYSatEdHwWloA9Pb5rxgJ
                                                                                                  MD5:2356F25971B72EDBB3303AEA1BEFB9A1
                                                                                                  SHA1:60780C3E4F36829A0038BF56CD929148A0A0523C
                                                                                                  SHA-256:99C3F55737EBC53BA4EAA92FAAE23EC8AAB9149826E5D821D6BC976706BED237
                                                                                                  SHA-512:3252FE8D4A04F4EF79DB76DEB446FBA236E0B281E0B1B35488198D8A5D8EF0F4890ED68DB0E93CA17CE3783B6A6A4D71EF5F8979F917E05D4DDAC638DF082A60
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b...........!.................8... ...@....... ....................................@..................................8..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................8......H........3............... ......P ........................................u..q.:7i...g.'=......a.2j.V.:}......o.....F5.Sv....v.|...(.':KP.d._..D..s].Nx<..e........k.......P.0...h")g..N.>...@...).6...............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....G.......PADPADP..7...7....\.....`.Q......!...........:oH..S....c...........L.}..>.. 2...3...5......:...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1152141
                                                                                                  Entropy (8bit):7.9996934105504405
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfs8+5iaSpFiz:65Lm++hGZ5LnZMO8f+5Aiz
                                                                                                  MD5:9A9B1FD85B5F1DCD568A521399A0D057
                                                                                                  SHA1:34ED149B290A3A94260D889BA50CB286F1795FA6
                                                                                                  SHA-256:88D5A5A4A1B56963D509989B9BE1A914AFE3E9EE25C2D786328DF85DA4A7820D
                                                                                                  SHA-512:7C1259DDDFF406FDAADB236BF4C7DFB734C9DA34FD7BAD9994839772E298EBF3F19F02EB0655E773BA82702AA9175337BA4416C561DC2CB604D08E271CC74776
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):6.139785828189609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:avB4oeg/Po2Obb95bmrpeALHpZAgEpYinAMxCC8:ruQpbHbklAp7Hxx8
                                                                                                  MD5:3180C705182447F4BCC7CE8E2820B25D
                                                                                                  SHA1:AD6486557819A33D3F29B18D92B43B11707AAE6E
                                                                                                  SHA-256:5B536EDA4BFF1FDB5B1DB4987E66DA88C6C0E1D919777623344CD064D5C9BA22
                                                                                                  SHA-512:228149E1915D8375AA93A0AFF8C5A1D3417DF41B46F5A6D9A7052715DBB93E1E0A034A63F0FAAD98D4067BCFE86EDB5EB1DDF750C341607D33931526C784EB35
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0................. ........@.. ...................................`.................................p...O.......................0(.............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........B...s............................................................(....*.0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.0..........s....%.o...+o....o...+&%.o...+o....o...+&%.o...+o....o...+&%.o...+o!...o...+&%.o...+o#...o...+&%.o...+o%...o...+&%.o...+o...+&%.o...+o(...o...+&%(*...%.(...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1782
                                                                                                  Entropy (8bit):5.026919218581437
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3rrb7h+1/gYo27RgdSagFsg+w3Sg+CjdgDt:7rn4cwCR
                                                                                                  MD5:13CFEB2261E4DAEAA3C06F7A60078F91
                                                                                                  SHA1:D76B6D07D8FEC75789025FBAB18048AD193B1462
                                                                                                  SHA-256:6BBDCC477F0C1EFBD0129AC7716F96CC2844103169AAEBFF03D4C8F5C54745D6
                                                                                                  SHA-512:F804155363FEB09427F7C8E968EAAA7DDA15F739769864A23C8A0FC9137151A03F02FB30B11F47A69DDCEFFF02BF933721C3757A3FB78C705D0537205BBD3A92
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11
                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhTLV:WFLV
                                                                                                  MD5:530F2E4E5E3DDA283DB3C78CC0C13297
                                                                                                  SHA1:CF60B778D32C9562B94411DA9DCD8FED2017AB84
                                                                                                  SHA-256:447163A4A3F1F10AFD9EC48F915085B3236F0FA7EDC9973C16925EDB5F6CF0CC
                                                                                                  SHA-512:DD4F7AF9A0F57707D1924BB504D3FC267B4898B909CF6E6ECD274BBC9B487A5CE5D8000E3FAD6EC0061E565C728455965C91F1B4E380227264AD2EE3E2990E28
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=6.0

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95792
                                                                                                  Entropy (8bit):6.184818983275012
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:GQ7brNBoXFbuhpLHbTOgemUu7+n3uRw1FlQRd5JY4t5K56y0sDrUfvPrhZwLXF7X:GQ/iwLWgeW+neRw1Hyd/YCs56y0sXUfG
                                                                                                  MD5:23C8674C75D5944445BF1C035E4A4789
                                                                                                  SHA1:A1255CEDEAC9F9A04B50C7814CD7C61A50623A19
                                                                                                  SHA-256:D2043F878740F643BF91F3EF798DBB9747904A1D503AAC4ED2108131F663AB37
                                                                                                  SHA-512:52ABA8350A05E9E5A672CB04CE528CFC4DA009247B2BD8B63096AF9A37C1F352A4C2BD12B03973AA1E733551F94F542814E425223DEF2AA33B595AA2DC555A95
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Bd.........." ..0..D...........b... ........... ...............................{....`..................................b..O.......8............N..0(..........la............................................... ............... ..H............text....B... ...D.................. ..`.rsrc...8............F..............@..@.reloc...............L..............@..B.................b......H........j..l............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tQ...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95280
                                                                                                  Entropy (8bit):6.002764283325334
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ocNQW9Tbp/VgiZi7sT5gdBxYJMcTnbJkI+eD7HxSR:ojobJVgiHMcr5Da
                                                                                                  MD5:10961147A546FFCD8B7C19771BA70198
                                                                                                  SHA1:5B63EEA0B2E53DB81AFB146D469E899E1E67DACF
                                                                                                  SHA-256:95C53735107ADCC39E6C3268335B2AD434E2364A007CC97B2147AF3A6EE837F3
                                                                                                  SHA-512:9830450FF9E8D2E6B74D8D8938A18DFB1BA008249D389FB923D5AAA25B7F8F9E5BAD4CB3FC13100C5F53B0CCEDA4E9427E90F2B733EA9BE0FFAA5D5F165C815E
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..B..........Za... ........... ..............................~.....`..................................a..O....................L..0(..........``..8............................................ ............... ..H............text...`A... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................9a......H.......4i..,.............................................................(......}......}.......}.......}........o?...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po#...o....*..{....o2...r...p.(....(....o(...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.656654225594367
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5XqQ:5Xh+tYmNyb8E9VF6IYinAM+oCaFXF
                                                                                                  MD5:96703E15C375B8A701C9D1F5BE8C4149
                                                                                                  SHA1:B058FA32FBDA52D70C1B966640B4824D5487ADC4
                                                                                                  SHA-256:3F830FA8F22EB09D59088705E26DCE964FB430722E91630B03EB15FCC48359A0
                                                                                                  SHA-512:3D7515BBFD018BCB24C69235A65F401BCF00D6932E412696FF31DC6EDE9436B2D4E5983450C9F88AF7B52D18949B4C1EFFEB9C3F94E85DCE57C4495F21D21A86
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):6.410547751816252
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:KQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAM/:K9ML8LW/usybGYVE8mZw+89Wu1e7Hxas
                                                                                                  MD5:20FC2DB17D09554BBC37785B3644DFC3
                                                                                                  SHA1:AAC4CA54730DB46145748AB419CF6BE3B39D2A74
                                                                                                  SHA-256:4151D6C627A324D9F2991A4D98BB7544926DB41B3211EDC1B2085922B1D1FC46
                                                                                                  SHA-512:62F6711FD2861BEA0FC214882678CF7F98CB53E8AF858C46CCC1F5B1F2FF9C22DCBD3A184A9DE9AD2D2148F0B529426DE7F793A63A459D72D2DCB048DF4E40FD
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ..............................&.....`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):398896
                                                                                                  Entropy (8bit):6.13440642371392
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:hjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvr:h+e55LgIkTmyAAfTnMLvr
                                                                                                  MD5:A79C5395D945A1A369EA05D73B1170E4
                                                                                                  SHA1:937D030106FD7E88B61E4F4D1AC28A3B9FFA0AA4
                                                                                                  SHA-256:7580F72E7059A9DBCF41C94DC69ECCA0B3A983C010DE86B9A509A701163AFEC0
                                                                                                  SHA-512:176C719C2595A6A01041EC240D5341FAC5AB6137756FD70F71A1B5C5A6E9A923FB61760808840D439CDBAB70ADFAEE137B13600875E0BC3A209E501DB84C2AAD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......^....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):883760
                                                                                                  Entropy (8bit):6.071525670553409
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:Y1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQm:Y1n1p9LdRN39aQZUq3
                                                                                                  MD5:022108AD251A8942E295269CA824DE07
                                                                                                  SHA1:05CE96EB21FF69C5ACE572405A39936E594B7043
                                                                                                  SHA-256:353FC27D930C31219086C6D391B0502AC298F6084DFCB3EA423DD1DAB3BA1907
                                                                                                  SHA-512:49028D3C1C7C8FAE813F294577B97EB0C66F2D62DF880072AD59679460D55A6DEB1546DDF07A7353563910E21F4D53F5FCB4BD421887D7B75429083CA200C16E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960711597816388
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:yBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUc:yBjk38WuBcAbwoA/BkjSHXP36RMGl
                                                                                                  MD5:25879E885A79F4548FD878EAF4A82396
                                                                                                  SHA1:AFB8D0BBD5687D2FC19C7A3FB66EA3DF1886DB8C
                                                                                                  SHA-256:3DF7B27F8649C95C56F1F68A040F29FB28EFF6756F8BA78C480DFBB541E59E4A
                                                                                                  SHA-512:39EB28B89A077D37FC8076A364B26ADFD348F6DC891AC08FACCFB071D3806C32AC0A3A5D82E8D4DE01DF6F9E1C4271CCABFA8FF7248CF6886BEF8FE4BDE51B6F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......5.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):284208
                                                                                                  Entropy (8bit):6.117274836584594
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:NZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHU:fgo0WPVTXg0
                                                                                                  MD5:66DEBCC5962642D31706EA1B067288A3
                                                                                                  SHA1:FB6A76C0E5189F66FE1D0E192349077A45BF437F
                                                                                                  SHA-256:8CBC47B453EA20F1EEA3337981A1A975A16B68B27AA156831D2B4AD0B63EA980
                                                                                                  SHA-512:5C485C7D319BA9C019FBDCA48833D3628E6D9EA6F3AABFA47A519C363BA81D11265427FD470D5D665795B010A26E751DA404DBD70895E5EAFC83CBD50D83ED2B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.676829122620627
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqXLP:TuhMaVmzDC67EpYinAMxC5
                                                                                                  MD5:C3CBDF33261AA0BAA8C11B4D713BA911
                                                                                                  SHA1:A486A2CFA6EF16B9DD005C689C767E47BF18D5A6
                                                                                                  SHA-256:0BD8B6B5D401001A2003486077BC095A2138B42DE7A52B212BD7A4AAD72A9E35
                                                                                                  SHA-512:132600340186128C7B8EA40D77DE9E5359A52949E7EE815CF959E2000A6EE178FCE26A2AAA2EBC56A48318EEAD3038189567CD5D14F9E977780373649C83F41D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):97328
                                                                                                  Entropy (8bit):6.241615255803021
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:rNSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxhP:rN3OWMsQ56vd2s+KuYc9RTJrP
                                                                                                  MD5:259DAAE7BD386F6AE1C50DEF93F9A274
                                                                                                  SHA1:70E68497781C4E7B931B11E9EFE702ECCFBC3AF7
                                                                                                  SHA-256:859758492E07C9297C1C5A0A31FA30129C23D479F442ADE01F4A51F78A0DED08
                                                                                                  SHA-512:8D25CB5982E2D8A5EFA0056C120E1BD5AEC7E28DE4DEEC9BFA2BAEBFB0FABDC4A12369F901C8415CDD3402C9A0E8F8F338C1C5E3FEB1A2C0F45ED446AB80701B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................d.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138288
                                                                                                  Entropy (8bit):6.18032959054322
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:g3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnJ:S0qjCSRE+fw0kG71S
                                                                                                  MD5:CC3FFADF699BFB7F10A176AE306707E8
                                                                                                  SHA1:C0824E4E57FEBEF32E904E540BA369BB77ACD15A
                                                                                                  SHA-256:D48B4C4D3BED0F4662B98E557A0EDE24B6C3745E7BFFC114164A2FD33D947904
                                                                                                  SHA-512:BC648768FA54D6F9A0FB70CE88960EE2137712FD7056F8FF28D2E222871D2FFA96B97C81E21D84CD71EA336F29D28977EAB57D858B2B7D1D7C7B2B01BB455C32
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`...........@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.672454142602205
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Nh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeB7f5DxmX:Ny9eEpYinAMxCA7xDxmX
                                                                                                  MD5:2BBEC1A6C6C64499CE0A4EDEA5D0C629
                                                                                                  SHA1:A1C39059B887B7A1BDF93CAB3237413D5948BE26
                                                                                                  SHA-256:D80E6D1C2A0850A2FDCA5F16A259130B08DDFE968CDC137253221CD4600D53CA
                                                                                                  SHA-512:B27639E9D30FD23461723708D4067C99AA3162FD8EF935AD5DA75776EBB46F2D11BD0FCA211BE35A195CE3020E10E063F66FDDDEAC0624392143B856DC23C174
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................q.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1572
                                                                                                  Entropy (8bit):5.112035356593415
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Xc2ZWO0WKptYcc2ZWO0WlcMz4qSc2ZWO0WUws:Xc+WDWuYcc+WDW14qSc+WDWUws
                                                                                                  MD5:C2E4DD73CB0F4F493F0EE212BC9214C9
                                                                                                  SHA1:A59798FB9EC8FDE131FEA111692F4C45E399DB16
                                                                                                  SHA-256:31F36BD2556A27AE19FF07C7C88378BC66010BD1EF9D425C5407D3D8A442280A
                                                                                                  SHA-512:77412E4DA9F4EC1DB4F4015927A90E8CAA10152DA19180CE59DABCB2959C7C2741B96C9FB77B4FC8E73F16A65B2DF88EFD33E4B6DC1C3DB8089F9889FC813FBA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:2024-09-04 08:40:16.5002|ERROR|AdDeviceConfigDataResolver|AdDeviceConfigDataResolver Error, Exception: System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary... at System.ThrowHelper.ThrowKeyNotFoundException().. at System.Collections.Generic.Dictionary`2.get_Item(TKey key).. at AgentPackageADRemote.Implementations.AdDeviceConfigDataResolver.Resolve()..2024-09-04 08:40:16.5471|ERROR|WindowsInstallerFactory|UnhandledAnyDeskException, Exception: System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary... at System.ThrowHelper.ThrowKeyNotFoundException().. at System.Collections.Generic.Dictionary`2.get_Item(TKey key).. at AgentPackageADRemote.Implementations.AdDeviceConfigDataResolver.Resolve().. at AgentPackageADRemote.Implementations.AdAgentPackage.Execute()..2024-09-04 08:40:16.5627|ERROR|WindowsInstallerFactory|AgentPackageADRemote.Exceptions.UnhandledAnyDeskException: AgentPackageException

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):384064
                                                                                                  Entropy (8bit):7.999354812539926
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:6144:oT+//Q9zzulKCWBQWv2SaUi4QGX46RIpikyZVsEJ4edsS5OmBOGapgfFwchugV7h:o6//QYKvQe3as3vt4edsTEHapgfgt2/l
                                                                                                  MD5:62BA835DA9186B6F9ABA75DB02BDA457
                                                                                                  SHA1:73CF400D8CA1E32DC336344778E43BA5F077659A
                                                                                                  SHA-256:3F7E666C873A00E2FC36561CA3C6554D64EE592CA6D7AAE44C1D578A4BA952C0
                                                                                                  SHA-512:AD12DDCF069B1E41895C6FE95B4206AFD5E41FC36078323B0CF5084A90322106366B1058FD19F4A7A2E3298B59EE06CF8DB75DFCEDAC3377211216A81DD86CD9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......G.X...M........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....0................x..$.C"c.._.9..).....o...."\..`J.<..5..`..s.wUA..H..?I....L.P6`.)#.V...HV...T....C2P...(.D..y..O..%..[f.....U... c9.G@..g.......G!b....:o....7..~.h.s"5.1.u...\}.{l....<Yz...rj.2H6.......K%....SR.3.cg..*..o..z..k>...2.T......nz..L.....*.b."...R...p..k.=3.N.I...c....ht..*..Z&i.J{..,:..}... .2.........e/S.....{wr.+.=.....#`.LKl....4a.+B.:..T/s?..9.,#T..w...;.Q.X.F\-..Z.......`W.W..Y...j.E.......;..74..W..d.....o..x.m{...a...K}.....i)..H.a.*..<.m.;..I..1..Z...v.i....!.*.'[..`W..!../.<...."..u;W!Zgkfr.xn..,..8..{u.E. .#5F.. .(jD....:.&S..D.&......g-B#...:.2.....hqH..YY.......`..Y.;*.g.>0.......@d.=...Oiu....<.H...z..j.6.|'...9 >..d(l..B. .....5Pl.......cT...(L0....s.8 0.....k.e.pKo.).2P.'b."`d.N...u.%.l'z$W.....,j....OY.X...%.(..*.....{s..l...H6M.>S......@u...^c.#e^..l.......wU{..L3....5......K.xU....~.;.0....=.....a.j....o...C..~....$.(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):176176
                                                                                                  Entropy (8bit):5.810538753278762
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:8hu0H1+EJQCH77wKu8MFZYfAZN8nCq8vwzZhq7tZ:8hu0H1+EK27wKu8MFZYSIZhqn
                                                                                                  MD5:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  SHA1:F0EC4BB9BE94EE250ED38E88A87B65E727A9A058
                                                                                                  SHA-256:C46A613D72F89B5886A79B742AA845152505734642188EA710716F63FB775C77
                                                                                                  SHA-512:1FD0EADD36D9058E7BC4AC06108B0430ABD5D43BC14100593352FD2F5639547B92BD7AE9691E219A26A90A80E4427DAE687A2312DCA0A48F71DD3ACFF9494752
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(}f.........."...0..|..........f.... ........@.. ....................................`.....................................O.......................0(.......................................................... ............... ..H............text....z... ...|.................. ..`.rsrc................~..............@..@.reloc..............................@..B................H.......H...........8.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.k.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):546
                                                                                                  Entropy (8bit):5.048902065665432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                  MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                  SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                  SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                  SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhWan:WTn
                                                                                                  MD5:5114AE785BDC99E7A17BF2CDA7D29A72
                                                                                                  SHA1:3DE3B2F755C832B8D5E6C0EC409448E2F559FFD6
                                                                                                  SHA-256:69DFFBBCA4B0D194104AF8F2E0FCF2B8019BE844149151B35AC0777A26FDA2DB
                                                                                                  SHA-512:87243F0B4B8E45408B39D209FA7AAFF2A844D58E73C431F7887C90B000FD19B12048987218598945D4FAA0FA75FDAEA83FC50583175143DF737134A2BDD27D03
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=37.2

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.18002703527251
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:9Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwX:9QUm2H5KTfOLgxFJjE50vksVUfPvCy
                                                                                                  MD5:DDC6B969B5DB1626766381FF12340FA1
                                                                                                  SHA1:6AAA12B989EDAAD22E1DB21127DDCFFD8951930A
                                                                                                  SHA-256:CEBE42FBEE50769C3CF9CE1ADEB4FA85046802B7A298BDEAAC3278CF4B653525
                                                                                                  SHA-512:B86D9C2E1234960F6614B6E6D790EEAFB093DB4CC1C9A2C4FE55EF0D4496D79B673F1B373BEDB036D23246FE1D3B7370FC0A195F59508A0566BF101401480F6E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................i.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):704560
                                                                                                  Entropy (8bit):5.95412318973471
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:t9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3c:t8m657w6ZBLmkitKqBCjC0PDgM5M
                                                                                                  MD5:6EB75A19A6AB8F9DE3886261B399A8F7
                                                                                                  SHA1:7FE98DDEC3FAA1362167BE26B5455283E7777881
                                                                                                  SHA-256:D1A4D5FB2B89A96A3EFFC149D0A32B72182D37B59414AAF78E202D91CF408A68
                                                                                                  SHA-512:383C477438A3654DCF5EB984626715D14AD6C771692B28326EE2212034F8B70D4430AEAE677532C66619883CBE86456602E544F2E0F0A98770F69BE3956504C1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................................`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):4.666007038771306
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:hsShKq4MsShLP6SX9NfzyShaKf0O4XJCGShaKf0Od:J4qBX9Nf14XJCd
                                                                                                  MD5:2B50996B230ADEC036D5150E5C4C1D6D
                                                                                                  SHA1:C225A78F503BC30F85D3B2A5C049C50BC3E94616
                                                                                                  SHA-256:903139AEDCD57A0D52C2F06DD91B0BDAE995DC0831DB65DFA64B1A3E5FF4E457
                                                                                                  SHA-512:F24A27C5828369C2C5090F01E73A66DF01391ADDC1A20DC110FE40988C5A78F978D2ED1472ECE957688AC68107CB23FF8EDD6DA44C2C08B9E22F6678CC7E171F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................TAgentPackageAgentInformation, Version=37.2.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]................<....H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35
                                                                                                  Entropy (8bit):3.9432894453927676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:mji9RwUkUd4S:/+UkUf
                                                                                                  MD5:E5DAB7101F3008EC85122E5E427D7A26
                                                                                                  SHA1:9730B480B9DDE61C1FD97AD1D4D508DEE75EABB5
                                                                                                  SHA-256:896F81533F26F483A2FE86CA98D94DD3A506E3C2CF5E2857846E8102C0FF607C
                                                                                                  SHA-512:4B088D1B1B86F5ABA256BA2BAE0F4AB1EC853BF88EEBDBC33B4EBC59A1D54400477AA3DD67087BB3697083DA48D04607AE31B095F386EA04B4A7677836A0A31A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.C9F4FF55AA65BD0D0CA5F21A18484730

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35
                                                                                                  Entropy (8bit):3.9328743603470455
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:UfrjzgRPjjNA:IrjsJjq
                                                                                                  MD5:42ECCFD705E01B78FB24BB213B3DC068
                                                                                                  SHA1:B0F26AF4824FE9FF4EC9A1C094E221BDA68FABCE
                                                                                                  SHA-256:74274091C254156413D7C19D153228613CDF291344AFB1F6DBD98D3510675E21
                                                                                                  SHA-512:4C8FDE145525148B665ED20322F85AEC412F20FA1ED664416295D9FFB9B3C69EF9A46B83D592536F2DC03743C80E55977ABA8ADEC9C8265A0089B59BAD5870DF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.A02CBFF457DF486F764A201F970B8E0B

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):294240
                                                                                                  Entropy (8bit):7.99936269480758
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0Ll:EUaBXU5BjfcE5WTkwGRfQY+Om3lqd4
                                                                                                  MD5:622A9C0AF8CD082E385F602DA47D2E44
                                                                                                  SHA1:501542FDEE105510D64568BFFC2BA90AFC1D5F27
                                                                                                  SHA-256:ECDB27238BC127AE5BB5ED09319BE12551392DAF08574F86200E5515156EB61D
                                                                                                  SHA-512:C241F45FC65625314E4A4E89E159DEED9EA9EEE742C59E18A1B1A54B2844209791F0E061466330CE0BFC2511D317FB93E1B062B5FE44866CF984100DB63F38C6
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27696
                                                                                                  Entropy (8bit):6.448893455648887
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                  MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                  SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                  SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                  SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):542
                                                                                                  Entropy (8bit):5.041389931890446
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                  MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                  SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                  SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                  SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13
                                                                                                  Entropy (8bit):3.5465935642949384
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhUv:Wm
                                                                                                  MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                  SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                  SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                  SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=17.14

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):93232
                                                                                                  Entropy (8bit):6.196023578677744
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                  MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                  SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                  SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                  SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):624640
                                                                                                  Entropy (8bit):5.871625159814148
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjo:fBA/ZTvQD0XY0AJBSjo
                                                                                                  MD5:D2D76AAD4B039B0EB42806D5DE6B13A3
                                                                                                  SHA1:03C2178677C80D5E6F8181A0BEC983592C5A2ACB
                                                                                                  SHA-256:C616EDB61657D5D3B3F58A6BDB8B21608E91BF602649C6E598005A1B7BC44AD5
                                                                                                  SHA-512:5A1962B71B0E9A43B2115766B44DC6C935F9F306C4896410A6561FCCEB1B249F4E6CE8988E0235D44FCD995767DA49E73C3F893B46713188E1EC586F3FD7CDF8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):833993
                                                                                                  Entropy (8bit):7.999644881255343
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                  MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                  SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                  SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                  SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):219696
                                                                                                  Entropy (8bit):5.943430076853408
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                  MD5:01807774F043028EC29982A62FA75941
                                                                                                  SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                  SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                  SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):541
                                                                                                  Entropy (8bit):5.097123194334321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                  MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                  SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                  SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                  SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXWp:WBc
                                                                                                  MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                  SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                  SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                  SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=23.8

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):6.300719339270839
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                  MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                  SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                  SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                  SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.1801131806578455
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                  MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                  SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                  SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                  SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19
                                                                                                  Entropy (8bit):2.9655839357277816
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:65vRtn:65v
                                                                                                  MD5:E4317BDE52351E3F838F6F070ED1678A
                                                                                                  SHA1:162D3CDE30C02344876D52BAB231E3FACA4B1AE0
                                                                                                  SHA-256:2E6C92175FDA82EB2804BFA0274CD559E014E6876B7385DCB730BD877E2B550B
                                                                                                  SHA-512:BF64E5F14DF96668C61B555EB436D9E624EE67823DFAD4FBA66072D20ACC9EC5F1DE80C83FEAC91EA9F0A1E2CC3F961BFE62CFE126B04DAA5CFA98B0B634B4C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:04/09/2024 08:40:39

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):499760
                                                                                                  Entropy (8bit):6.056862695710082
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                  MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                  SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                  SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                  SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960733432365752
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                  MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                  SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                  SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                  SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):277040
                                                                                                  Entropy (8bit):6.190626027944278
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                  MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                  SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                  SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                  SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):149552
                                                                                                  Entropy (8bit):6.059724018456156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                  MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                  SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                  SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                  SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27184
                                                                                                  Entropy (8bit):6.334370226233819
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                  MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                  SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                  SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                  SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.955083228632948
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                  MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                  SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                  SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                  SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):639
                                                                                                  Entropy (8bit):4.755855306583299
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:KiMDIytXE4iMDIy6XEOMrDNw4ECuZDGoQgzZbor6zFNLrr6zFNLf4gzv:KNtXjNW2w4EwoQeZboIFFrIFFgev
                                                                                                  MD5:3DC4D77E5A13FBEBC91AA32781093AD0
                                                                                                  SHA1:DD2C9C742876FFBCB667AB9456672F8CE06F61D9
                                                                                                  SHA-256:92166EB35BAEA787D67468711805CF934283C759E2479E45E729AB0FE147B1C5
                                                                                                  SHA-512:F1C6A917A276174B14869C62E02DDCAEEC111C0772C45A0116F006F32297C34D973CA2906FFF5ABA61AB944868E297926527527630BC73E92A2566FD084B9ED5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:04/09/2024 08:40:34 In Program static constructor, before instantiating _logger04/09/2024 08:40:34 In Program static constructor, after instantiating _logger without using _logger04/09/2024 08:40:35 Starting Main(), logging without using _logger..04/09/2024 08:40:35.950 am: Info: Before PollAll() call written at: 04/09/2024 08:40:35..04/09/2024 08:40:39.419 am: Info: In PollAll() before Poller.PollAll(false) written at: 04/09/2024 08:40:39..04/09/2024 08:40:39.482 am: Info: In PollAll() after Poller.PollAll(false) written at: 04/09/2024 08:40:39..04/09/2024 08:40:39.482 am: Info: After PollAll() call written at: 04/09/2024 08:40:39

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1242459
                                                                                                  Entropy (8bit):7.999705337724571
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:ZQXvdoybigLPNNmXx5B7u62Axnj/7NAckRq/QO8tf:KoMFLGXxn7t2ARjheh5
                                                                                                  MD5:DE647C2003B0AF989D2E87782CBDDCD4
                                                                                                  SHA1:BEDC6201C49E8B26AF38D4A81AF7545ABE4E27CD
                                                                                                  SHA-256:74732E18B4D2E436952D9BF13AFFB854D570E2E7BD25F5AE6884195A4343A697
                                                                                                  SHA-512:34438F6376D283B6E5D1D2E60B2A2A8411641E2EB89ACC173D0DB409645FA37D1D67ED47899ADA434E9BEBF054867D8EAEF14BEAFABC116E30A76622D2796A4E
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......LrX./..........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......FN........U./Ve...j.K.IXm..._f.n....f...;F...d.Z..S;N?..$..~..W...41..9....|..d.....H.>..Q..".[.Jw.....}...l.....j.8....1..1....J>.....,..Sl....W....!.6...bV..P...sb.r..^.fq...Zr.!.>..<....".x..}..O.=|./r.*..4.&rI.6!...V.......N`'Z.....o.....%.G..f...TB.....9....p.b.cv.~... ...^....m.=<.}...Xp..~;.....o(!..V.'....:.j[.G.2.....8;..*F..JD......~...d..:.>n.T.r.l.....s%.......%...>..!C..E.<......C.A.&.F.....e.+lR.}....d...3T.....E....g........'m.M(...H[.....u.WC.,.S3p..=9..z`...\4..3........i.\C..dZ.$....Y.8...*Th."..k......)a.$.....&.2....=f.......NLl.....Sye../. ..I......B.R...!.6.].[(.R6."v.V.`..|...b.$.S..M....6..e...>L.i..<[..W.g<Ty.;/.F..rJS.8A....W.26.H.q..A.4.\.h.....<...M.I.{.%....>..ey../O1...~...]G....S{(_..36e.)......5..j.U..a.....X...Y...u.I.hsU.j<.~0>.R..B..(.-^..0.....M.Cp2.y._...0.u..B.^.j..W....>....d.._.`\/.....FJPu.....rrW.^.....#.A..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):37936
                                                                                                  Entropy (8bit):6.420777740976457
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:TlK7ivy767zzumHTxUxx/u4sEpYinAMxCczxx:9IS6mHVUTxl7Hxhtx
                                                                                                  MD5:601E661FD5917647D8932600560E6A27
                                                                                                  SHA1:C259050D22DDFCCD00434FBDF4660668E45A1D45
                                                                                                  SHA-256:0F1A1F5C257AA061CAEF7FAA224959F60F8E257A5A56ECD02BB9E8BE25EA093A
                                                                                                  SHA-512:8A3822FB7A1FA5C08F9FFAA7F3FA91FFF2DB795CA17D259D3C51264434D86325E20E8398D4E3785E143AEE7430A35287112C52A876E163F5AC8FCA414E27FBFB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..`............... ........@.. ..............................d.....`.................................]...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H.......05..|I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1295
                                                                                                  Entropy (8bit):5.018953579697613
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                  MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                  SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                  SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                  SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11
                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhUln:Ws
                                                                                                  MD5:5652F0418016B3ADE276CAA479E9D5B0
                                                                                                  SHA1:8385D87585086709BAC2E028432AB505875DD0CF
                                                                                                  SHA-256:5E29BFF135603676BF4545FBFF476A3C705FE61261F7334BB71C55F9DC8FA095
                                                                                                  SHA-512:8B9F9606D29895470277D78C78EBB0A9487F012EA9FD92468791E1B33E406E14E9A7DF02391F62475229051E282DCF15A5977132FDF6D2C1769C69E572C3E8B1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=1.4

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):92720
                                                                                                  Entropy (8bit):6.197723114252408
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:XqIbONGJUSMm8E0/N4El/5qn0k8sSU0R1g7Hxt:XqIV8E0fJ5qn0k8s81gf
                                                                                                  MD5:9730ABA0BFA904FABD79FB5E3F2083A5
                                                                                                  SHA1:5D8A6F97D6B729121A7409EF881452E8A8532E74
                                                                                                  SHA-256:9D3A9CB8F40AE8FECDCDD953C12574DCBF0D1B411ED09875A6E1194D323DF97F
                                                                                                  SHA-512:0B46876C6C48A7969FB4F548CDAF9927FCA5949F005D75B9DAA3EFE181839963D3BE6CFD34962AB7111BDB577CD0881E80EF494770B66752D4DDE7A2596EB4E8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*.tc.........." ..0..8...........V... ...`....... ..............................$.....`..................................V..O....`..8............B..0(..........`U............................................... ............... ..H............text....6... ...8.................. ..`.rsrc...8....`.......:..............@..@.reloc...............@..............@..B.................V......H.......$f..<............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tL...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95280
                                                                                                  Entropy (8bit):5.998458771567579
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:niLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv6:2Z0PMcjrgv6
                                                                                                  MD5:DBCEF7625BA26E5F98BFDB57EBE860F7
                                                                                                  SHA1:63748B8CA00E8D0E5E6F9EF8079959AB5C776208
                                                                                                  SHA-256:7F83ED5B26F7BDEC092A468D4CF5F24FD8417EF11D479FD78FEC4CBAC74BC193
                                                                                                  SHA-512:9902A9A794D30A21681156C54C868B276F6AE294DE2D40FBA9B2448F853452DE15583A9485BACB7600467173DBCD99A1571E62F2E56FEBABBBC812DB03E5A7D7
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ....................................`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51760
                                                                                                  Entropy (8bit):6.406771850554805
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:cQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCH9I:c9MYn1seLE8JFMLcyMH7Hxh
                                                                                                  MD5:BF0A1971F65A9FE73F8E048BA390710B
                                                                                                  SHA1:FCE44EC8DD092BA5D76ECDCF7ABC8912AECD7EFB
                                                                                                  SHA-256:F9A2D469C7FDDFD29DD49B617141F3DFAC3F98F9218198CF639887E72C7A1F82
                                                                                                  SHA-512:490DD7021B595239A98BFFA409667D864249408355E31A72251EE68700562BC90A03192C3D3C3379224876077758BB78DB337242AFD9F6F0F79E5D03AD0E36CB
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):354352
                                                                                                  Entropy (8bit):6.153608452030037
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:Hr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYsn:Hhpp9xxIBeXGfvYsn
                                                                                                  MD5:4EB845CC376117FBD7456B5116DEF8EB
                                                                                                  SHA1:CEECAC7E66E327A55E8E8AECA34569C1A98AE618
                                                                                                  SHA-256:3147327D5B6FDC6213B8082D0A5E469EAAAEB127F9D25F5A54F83A09564F920E
                                                                                                  SHA-512:CC96AEEB1C90941EF51C9C9BCE8E4A304F33F868CACA1655CD1ABE0F110337DC4B2486F9D57DF493CBCE8B193A44561F03133AC10B2ABFB0CFA221176F8D9206
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):883760
                                                                                                  Entropy (8bit):6.071423352723142
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:x1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQK:x1n1p9LdRN39aQZUq3
                                                                                                  MD5:BC7133B1B43617AAD9B6CC4BABF49E8E
                                                                                                  SHA1:424AFEC5BBF4523F651A6AD2EB14EF0EF7CB9FA6
                                                                                                  SHA-256:E3FF7C72FC6AE0F4CF5F2F5463F7C232CCF73A9496A1A8B2E82D793B85DFC39A
                                                                                                  SHA-512:B73DEB87F0C0155CD98B9F92A4A9FE04381C1F5D98F47E3E6DA085087AFFCD6050850904CA5FA2D770465516A1EFFA3DB88EEA8198B4366E6944A8472E68BB3F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):702512
                                                                                                  Entropy (8bit):5.9432161483973
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:Kf9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH6:YXNL2PVh6B+Bzjmca
                                                                                                  MD5:F2182E7F039D5A08B27FFD8B12DA12CE
                                                                                                  SHA1:140F1BE731C0F6C1A2AE221B5E880B37807CA539
                                                                                                  SHA-256:DE0AF87DF1D85E9D877533899B428147D961F3AD87555A997793AEE2C4EC3D14
                                                                                                  SHA-512:AF30D9DEFC925A56F963FF1B023A260B851CDE5E1FF57B8213268753E1833C2F3BC7977E97332B2B2ED2D6A20B515A7F562A3DCA4DC960125FB06073F8AEF0B6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ..............................+.....`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285744
                                                                                                  Entropy (8bit):6.189807833908334
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hZAWecOmop6I4A9YzsRuBeXirS9/pcRykxxNKKV6S8mSrpsPnga:hZeZ6ANRIru9/pcMkoKV64SrWB
                                                                                                  MD5:C248CF206D619DCC9DFDE1905C56ABE9
                                                                                                  SHA1:7E738C393C9C356567FEC91DD5EC9F8D7201107D
                                                                                                  SHA-256:17437BC5E33AE2D4C02DC19844C3EFED74B8F07EFDFC7E7F21E7B76162AE5C2A
                                                                                                  SHA-512:6EE09AC010C65D2C02AB25DDDB8530ACE7D5E8342764D4F98DECB94B02C18B593D22322986264327FEE2DDD3F4FDE630F63EBAEBF274D57006549D53FB9D68F1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....O..........." ..0..*...........H... ...`....... ..............................Y.....`..................................H..O....`..L............4..0(...........G..T............................................ ............... ..H............text....(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H.......Hd......................LG......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):284208
                                                                                                  Entropy (8bit):6.117313368373633
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:tZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHW:/go0WPVTXg2
                                                                                                  MD5:E7F7F8366DAE3FF49DF0A042E766B823
                                                                                                  SHA1:13163C2D38244CA3043DCEB6E35AA9E35E5460FD
                                                                                                  SHA-256:28FE2BB6DC8063506A50BD16EA75CAC63FF87D6C94FE8C820EB4C7C070DE0AF3
                                                                                                  SHA-512:154AE5A8F1EF145609158322EA1ED22A815643D980C82589A708C72471626B2A754EBF5CFD3B017229A32775B581F4476AEB2DC8BD10B6D8CB2842586CD514BF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.677875130083087
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ey/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqh7:euhMaVmzDC67EpYinAMxCr
                                                                                                  MD5:AD27AA5DF0CCB993A7C533ABC2B12BC5
                                                                                                  SHA1:601A025FB69A53EA8627AD124BCFC6689E15C3B8
                                                                                                  SHA-256:C3836ED94362FCEAEA5EB3031CE226E3A2188196B335FC12AF5379754F3BEE6D
                                                                                                  SHA-512:FD462C30EC56D26829873C7CC437FC9B7B65DF094247486982964F8347D53CA31BC62B6926CCD242BE5C59F11E929F2945C6D15AFA13E46E7DCE68171FD7DAB8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51760
                                                                                                  Entropy (8bit):6.234800508786839
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:fzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWX:fzpjF0/t043e3vggr83jMYa/hU7HxVX
                                                                                                  MD5:2D33C7F58A38D1EBD9167DDBB846C552
                                                                                                  SHA1:96A22461836A2D9D0A3D945B1A000B601DD112E2
                                                                                                  SHA-256:46DAC445CC521BBC4763E09E344CE47E89C9ECFCCF359BAB5E7DDA158798B61D
                                                                                                  SHA-512:164F50BA58540FDF9DDD0147BF36238FF2A5F4CE5F317C1B0C6C6967DB353537B7744DFDE67F0FCDA14C1671635E1E191D5DDE6FA258054E92247DAECF180580
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138288
                                                                                                  Entropy (8bit):6.180026310625973
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:SP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlW:Sh0qjC5RMOHO420kN1p
                                                                                                  MD5:FA1958277D8991A2CA3DCBEDD326E679
                                                                                                  SHA1:FF67C65737EA8EB970D58397AD41179DFD7D876D
                                                                                                  SHA-256:F90DD27CD8064A93700C114BA8479741030E99356FBB120CB03BC341E88EABE4
                                                                                                  SHA-512:226ED579CCD8D4CB7705A0245926A25226BC054884A55AF6BC8E707A5FA2EBF38E3094F15F309999F3D05695E7B3C9CE5022B5EAAE6E2E5E092BEDB6B9A74B9A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......E.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.67630363450165
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:dh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBw52Z:dy9eEpYinAMxCAUU
                                                                                                  MD5:C8A500FA8517ED60D8294125640CE6BF
                                                                                                  SHA1:8D056F18F46ACC3798214CFC46A9A849DB83BF6E
                                                                                                  SHA-256:72B89634770625E6C891B8336755B6A341C8B5786C3728D9D679B756718A2DD4
                                                                                                  SHA-512:443CC856D319F519DB75B9359C57F6410821DBC3F57B4C86EC66C18285DAC7BE6FD983653343B43278553B92A7AF07D1911FA5847B8F884EC04BB8BCC8054350
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ..............................+.....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27184
                                                                                                  Entropy (8bit):6.332745078390322
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:fn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCkwZ:fnvXYcIh6yFIFBYpc47HxlwZ
                                                                                                  MD5:D62F04C397D229F2661538F299181122
                                                                                                  SHA1:03EE3CF62888CA5BFD36B042D2E1F90F5741E0EB
                                                                                                  SHA-256:3F07F423C81340FF2BB705C599BEA8267932EAB8D5F9E2D60BC54798C3FF6CDD
                                                                                                  SHA-512:C4F91003ED7D13BF4C2E06CB462920C6D3550F76F4D0F63D3070F760A874B3EAF00813BC0871E5E3FED5DAEEB60D1691A1AE93246A0ACCCE518512B8AC3DE56B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.955144932150523
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:8784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRJP8:87N1r9KGI04CCARLB8
                                                                                                  MD5:328BA848ABD9A548F19263D9E43B7361
                                                                                                  SHA1:DB4D58DEAF5EC79F620EF1AD5BFF9E28F8EB0D7E
                                                                                                  SHA-256:B282E0543145778A695B875E82908698A38B0C0DCB9F88BAD135823EA69A9D94
                                                                                                  SHA-512:EC8DDA91192109C5E981E2EF73CB5F7169DBEC36B32221700C8C759883B7FE2176575A39C3CCDF7F4C3F6351560C9E37B884D62154BE6558875F117638533301
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3585011
                                                                                                  Entropy (8bit):7.9999193745697
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:49152:PifnPfXNZMNdg2I1fVkjUhN0ToFwQGw8tQRSm90p13l95Ogl5xs35F7gzzTaCzZw:PSPfadg2IIj+N0TK7SSKjUglopWD/Py
                                                                                                  MD5:25EE719E8A32A0C5DFC57A5923FE32F2
                                                                                                  SHA1:F48E0549F5F05476EB780E78F7840A98B4375193
                                                                                                  SHA-256:A5CEB8392D19691CFC565D6DE595D829D474B9B095557A55C1D11BA475E82836
                                                                                                  SHA-512:A7483CDD47E71AE7570AFF30D2EC9E8017DFE5BA6488A8E14B538912A0E3AB286BAF764A13553D30170D874C5F14EA524C5D878131304C74838AA8E0952A2831
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......i.X..J.........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0.......(m......%..Q..a.x....EPwA.}.Qq..I..u4..w.J...^.........p......+.`.......'7...F........r.M.{.Cw......4O..0s.M(N.p.Z.@u..h2......]%......2..8a.9.^oG.......\Ul.......hC(.......nE.......l.c*>y..U..l.a.......z`.q&:..?....{m...H..B...=..6y.y..O........an.f.1yzT...2...jA....3r....R(..w.K...`.8:..y...%...e....%.....s4...G`!....w.'~H.E....6:mo...r..<(}r...TF...^s..`'.*.....~^l..l... ..<|.a..%C....t......#...X*j....7.L@..`=...... ....3WM.......O........F.E............xE.]....i@"....5.nM...,dt"E.Y=;vj+Z.].U.<h...*.0=}c.....S(D..jK.....o.t.1I...p....p....k.M..OPo.L8.......kr.VI.N'..mN..I..7/nl..e......h.{....\.c._.lR.%..3....Pj../...D..@.......%...1.AP..W.>.,..t.bWB.Ko_.9...$.}.#..1T..F..H..UL.....5.a....S..&..de.;=A.u...W...Y..}.A.T@.\.kN2..6h.c.... ....DB.PI......6..$1..$.C.....&...P..B.%.,.H"..D ..hx......h.^.c..&P._..@....../.q....q....}.....6... ..n

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):396336
                                                                                                  Entropy (8bit):6.250697507262227
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:1fXwAmmWkxZjUCyC6ulqODyu+1QsF9K7SCHp5ZuI5MXd0XjkcdvCtUovOz6E8DnB:1fX7bwG6ulqJZaS5kzdKtUYOzMu2h
                                                                                                  MD5:B50005A1A62AFA85240D1F65165856EB
                                                                                                  SHA1:EEC370FA998AFCD06227DCB1BD5E6E2D36073693
                                                                                                  SHA-256:1867CF4FCB38F7E7FC98DDAD180C26A717360DF688A8EABD9F325FDE3C16F5BD
                                                                                                  SHA-512:63E664A8C12F27EF4C273330A8CE322CEACF12649C2BF61617ED8E394C43BF2CCAF1C2A14E2CE8807C11CE5EDD653FC7F942D0F4919923B37E1174A67393DBC4
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....5..........."...0.................. ........@.. .......................@............`.................................J...O.......(...............0(... ..........8............................................ ............... ..H............text...,.... ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B................~.......H........-................................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1459
                                                                                                  Entropy (8bit):5.033662307409642
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                  MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                  SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                  SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                  SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhW8:W9
                                                                                                  MD5:72133F8B7A6B747D14AD3D4BFF8CA002
                                                                                                  SHA1:476623D1CA063E5F7836DEC97384F79E9DD04786
                                                                                                  SHA-256:531EFE3FB7CACBC23B12FBEF7B426A3EEF4B4ACA64C20DF7637F4ABD46CF1FC1
                                                                                                  SHA-512:4292C7513F4843543FDDA960271E060648C7690AB48477FCE27C00220F5216FC813114078E64886AADCDD5FD42AD96DB447856C11FD5954D6B1596B744CD5F2C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=36.9

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):102448
                                                                                                  Entropy (8bit):6.190419076161021
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:OPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxc:O2bYbYSWd85I5sSakFQhHL8G
                                                                                                  MD5:F64F56F2E4DFA797D5CB4B1CBA08644C
                                                                                                  SHA1:3C2DCA64758145239E2AEF45E05CCF6BF9A7FB8D
                                                                                                  SHA-256:F23BBB31DD11D74343840FF81E37F73FB891DE7E8C6596AEED2C405DBA97CFA0
                                                                                                  SHA-512:19181FCF32B176E9D24677DF8D740D5226F5A7D044DFB24725645C951F4F7682D9CA521F62E2420C814EF177BD20F0C470B54D1C710713F75ECC7F58F7C30CCA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ..............................o.....`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95280
                                                                                                  Entropy (8bit):5.996740439887868
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:t4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87HxsN:t4auS7S5Ea6WMcpu8I
                                                                                                  MD5:EF30D465678A904C773B58CC3B1AD66B
                                                                                                  SHA1:D08C5968C279790EF2D10BF2FFC1F2DE937ED4DD
                                                                                                  SHA-256:A5FAFA659C8CEC0FF892405939E3BB32269845D4509763ADD219C15E7D2A8710
                                                                                                  SHA-512:521E64502F81A789DFB6D4FBE545F76DFE32C7998222CE3002DCEBCE5550D60AF6F29C30F9A4B8B888639CAEDB8C718BA34D88BCCA782EF13E8CE3A81ED537BD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................7....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):75312
                                                                                                  Entropy (8bit):6.240212933460331
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Su2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrY1:fF+qo7mDEwj4NXLGcfgruFcg7HxRv
                                                                                                  MD5:E307CE14EC46071E8D18B6E281A4F955
                                                                                                  SHA1:2AA8E6FFF7346019682148DCBCEF44F72ECC4982
                                                                                                  SHA-256:E1E9378C07B6783755D1CB46115A1791651588BD172BD535630C306198D384A9
                                                                                                  SHA-512:2D7A23FF1D4837FA51E9C93FA0FAC0CE4F5C7744DFED28DD87C75CFF550DA121D0383F488316FF056E60C1068F59A3634E0B09D62065271B1773B73E99C54D4F
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`......9.....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51760
                                                                                                  Entropy (8bit):6.407791203959866
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:GQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCkU:G9MYPJS/16/E8/3A+++bF7Hx3U
                                                                                                  MD5:A36553BAC1F9CBF5ECBC13F7BB830E7B
                                                                                                  SHA1:2BDACF2F0FD7ED5F3E62E4888F0A9034E8882BFE
                                                                                                  SHA-256:CC527E9A3E527C9907D1AA00564057D070BA9B269B9FB2AD8D0F3DD380CBD3B4
                                                                                                  SHA-512:9B3CD927725CCA3B2159F91406EF472506348BDB9CF1066386E1DAD1E9C2C4F4A72BF7A936AC9694F259C9F73AFB71B1CC37F9B5C0B1FF3D0259D1B9BD3214B1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):155184
                                                                                                  Entropy (8bit):6.247738832262604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:T0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+Ykt:IP80zukOltwWk
                                                                                                  MD5:CE4E3B687617A7C94D73539DCD89FA73
                                                                                                  SHA1:4C6519693D081D9F03503AA5CA3312C41DA3F981
                                                                                                  SHA-256:DF753760463622BBF573AD25AC4B5184727D1F232FF68A17A1601F39377DBB76
                                                                                                  SHA-512:FA0C76247E05C1577B767373DA659A4876B3B39DA20D3D0CE8A73779306C66FD3A2A032DCD47D11A79F1A1A2A93E242651F8650934CFB98C10D4E50F111F8F90
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215088
                                                                                                  Entropy (8bit):6.03083318319815
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:m1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sV:5Izm6pOIgvr7s
                                                                                                  MD5:A58985E020BB24EB28C965043EFBA9F5
                                                                                                  SHA1:709CB8780E30484A788EF6EADB8B76D30491F66C
                                                                                                  SHA-256:1AAED0562F7379F1998E50A9C0F8CBCFCFEE65FF2EF3C5DE2ACCD56764418385
                                                                                                  SHA-512:291CBFB3A468DA06CAA0D02B04CE5109EA3EEBDD1B4B0918D9AE45B7DB9FBEAE6842B35D4C9DF99373CAF54DFBED714577C959BE2C9DD9AA92FE2774860842C8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................HW....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):354352
                                                                                                  Entropy (8bit):6.153514122272104
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:+r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYy:+hpp9xxIBeXGfvYy
                                                                                                  MD5:B2F1B38E6DFFE1FE761A0865392161ED
                                                                                                  SHA1:D9196465705125A228494A28D5CE3F3F2C7BDB36
                                                                                                  SHA-256:8E958FEA067350A1957FC9E4F3052A1B8D28AB95D4E26A072BCEF0794FB8A398
                                                                                                  SHA-512:6E4B6BB945EF698F4552E229E6CBBB615060722D2D1E8F5877200C37C4EEC8AD683C61DA701CB9A09C79673ECA96AC8CAFC3FDF70BACD2C5507C4F0ED78BC1E1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ..............................J.....`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):883760
                                                                                                  Entropy (8bit):6.071481963565208
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQU:V1n1p9LdRN39aQZUqF
                                                                                                  MD5:CA515F4F34826F5ED5A8FB7D3259FEFF
                                                                                                  SHA1:D31158793EBB4E0CBE957158F2E42754CA826A29
                                                                                                  SHA-256:5042E33133E0422F51382C273153295DF814E5CC2FF2A4FD0D973B4AF54D4933
                                                                                                  SHA-512:1336E658AE6097598F3508424085AD288AF4B60D4FDB821A10BAC712492652F7BB06F3E53556CCBB7425A63ED48B53D368481D1F142E6B58FF7C4789737A3CFF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ..............................n.....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960477572931558
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU/:hBA/ZTvQD0XY0AJBSjRlXP36RMGK
                                                                                                  MD5:EF06D200D340C9798A006F304119BA82
                                                                                                  SHA1:C08B838DAC97CD1376D934FB5ECA982BEB19D493
                                                                                                  SHA-256:88C838B4EEDFF929AFDABA2BA808775B1979C5C9BD7AAED36525CB1A41D8A8FD
                                                                                                  SHA-512:E67597F90A504A1B7C6AE838C8F82BF9928D49B22E896592623E9473147F8C05B974E86567E40D93D9C59602843A532034ACF5BAD2EAD78962AC2435A63E80A7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......K....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):293424
                                                                                                  Entropy (8bit):6.121578040837099
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:vdmT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yt:vdc7N/WkQHr64t
                                                                                                  MD5:C329213E3BAAC31E55B7E57C9B5692C1
                                                                                                  SHA1:C858EFBB991254A929A0D7BCB1087628501E6DC7
                                                                                                  SHA-256:38C66E322E92172722E36001F2C9E6151655CFFDA8D78BA730B1878FAD793FF6
                                                                                                  SHA-512:C86F49F789B40E4EEC295CB652CFC63FD5C87E51029AF975AFEFA86C57BB6A9E52DAD54993FB7186ECE73BA905EF43C50E11B85F221EBC59698D8E1845FA90BC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................`.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):277040
                                                                                                  Entropy (8bit):6.190744437011799
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:qSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYE:luQlBAMW0BvltxZ6h
                                                                                                  MD5:D6F46A4CB8CEB824CD1763B62B8F71A8
                                                                                                  SHA1:9FA3A8318D93CBDA86D2843B0783CDF0E7B28D92
                                                                                                  SHA-256:66386C99B4BCF568C95E93B11E5E89FC78556924C5BDAC9644BCCA7B04291542
                                                                                                  SHA-512:4B720C78E8B3316EAE4FD0BE2499173246AAD3896ED7AF76124A8E565977C27197C73D61474ABA34264F18D5C4BCAF1B51070484CE093814E3CA6C2804AE419F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................f.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):284208
                                                                                                  Entropy (8bit):6.117480150640407
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:PZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHNS:Rgo0WPVTXgg
                                                                                                  MD5:74DD74986D9708CFA8F4B4F0D005B604
                                                                                                  SHA1:55C85D2BD0ACD3E14ADF6D442670BC7F3DBBB803
                                                                                                  SHA-256:7100B1A666B0AA99EE5036E23ACC1BA3CFF2E7B2C73A2EA72F5359374648349E
                                                                                                  SHA-512:6CA3A9F1D10B4C492ED4902631C38F81001BDF256014148A7628166BF1932BBBC9DDA570A295C99F918818EFBA28C82D1E33C1532A2EA8163027C14351CC4ED3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................0....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.679229646565206
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqUeaT:3uhMaVmzDC67EpYinAMxCuT
                                                                                                  MD5:A4EFAE23A302EE53F0A81FF5B3523292
                                                                                                  SHA1:EBB0ADFB9771F4CD61A1D0A9CDFE16CE5621A304
                                                                                                  SHA-256:D1D0C53044B2BF85F5B19CAF709BEFFCED51397AE94C37F14EB94E915C6446DE
                                                                                                  SHA-512:E77C1CEB40F69342C742AACB07016EA6ED5AFB36949E00E85663EA15996C62E019959FDD44E9E0D468C91DBD89CC8EDE10CCC9F242DB7D6C87D2A6E24E6691FE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................3....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):409136
                                                                                                  Entropy (8bit):6.098144476210718
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:qPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc1j:06heZBJm333M89QAy
                                                                                                  MD5:D03824AAFFA4923C80E6D8B716D8430E
                                                                                                  SHA1:06CE0C7BAFB16D3E92B35444467DB7DE0A6C7C84
                                                                                                  SHA-256:7782C0F86CE42101799CA9828FABA1798230734D17990637040DCF15F3617644
                                                                                                  SHA-512:59A04EFE8423402F57896ED8D70419ADDF52309024606B35E485E051D21076261098DCBE5F7AA7CE5F8BFC93BE992E94A1AE07102F810B9B1E020529C52475E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ..............................SO....`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51760
                                                                                                  Entropy (8bit):6.2347643754291555
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Yzpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWZ:YzpjF0/t043e3vggr83jMYa/hU7HxVZ
                                                                                                  MD5:520478C4C71D99D43989786250EB4763
                                                                                                  SHA1:748AB4CFCCDB28B46E8226115C88681F72C033FE
                                                                                                  SHA-256:9708914775950619C1F13B1871CAA6FA7874891985E249F82AC60862C68746A4
                                                                                                  SHA-512:1C851D77617A8059491A1F02F81A27F8AE19CCF6EF925F63301F2C20B190BD35CFD60858121F7BA57301684A4685C87F25089040A67D1EB421A4B82AE8403B03
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................e.....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138288
                                                                                                  Entropy (8bit):6.179821808998386
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:+P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlY:+h0qjC5RMOHO420kN1j
                                                                                                  MD5:684D6E74002F9691D8CBCB135B6717E2
                                                                                                  SHA1:9FC0F5E7AF66ACD2BB0316BF28E9CC0201037EE4
                                                                                                  SHA-256:B6AD62636F7224EE73ED95D2E14EB089C34D40BFD2BE21A4C9B02D34CF3FA3E3
                                                                                                  SHA-512:76710039C919E70A551E7768C230732F71A069DA34B8BDB7B9D2B853FA9001F3D37952A90E47373F53C8D323E9CAF6726F319FEBA632C2E98F5E06716B1C8EDF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`.......M....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.673219933457599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Rh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAj3IR:Ry9eEpYinAMxCAcW
                                                                                                  MD5:ACFCB0A7B3FD1002A8FCD0FD5D65F734
                                                                                                  SHA1:8507B9A8EE31430F75678470F5FA06337A76A5E5
                                                                                                  SHA-256:98A4333A188E2E88F115C5F8DDADFBED3924900C1071E3226FA5B16E22FFBCB8
                                                                                                  SHA-512:29301D054651817479EDD71E80BA4FB2E3CA449A70D7720017DAA3CF6EA2B1390E56EF763C9C9A97D099A0464439923F48D99AB0EFE2FB8B3308BDFBA7708E9A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................[....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27184
                                                                                                  Entropy (8bit):6.334413974319615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Sn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCW4:SnvXYcIh6yFIFBYpc47HxN4
                                                                                                  MD5:0362AEF9DA024E41795F98D8B888E955
                                                                                                  SHA1:53FC9E81D01A7C97D57B9E9ED9A3872EF1E81F74
                                                                                                  SHA-256:FC5600A53DD80910B63651E9C5B3B0CA82AA5C53529F4AA0964D21BDC4C64F3A
                                                                                                  SHA-512:F65C8EAB66C5C088FB85F16914D18ACB0E2B9B201BD37C5D30B8B0FD2DE2D0AD48C74912C4293ABF611A6A64FD76B3B9B61502993C9EA680723B22A3ED88A612
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.95553243429679
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRv:R7N1r9KGI04CCARLv
                                                                                                  MD5:F25FC027F62B2075901A6677EF81DC17
                                                                                                  SHA1:A7DAC5819431ACFFF9E91BCE7C6371B2A00507C5
                                                                                                  SHA-256:39CA7203DE9D6D026F5F1E27F00A5CA28133C0494E6F2E3ED55DD2F4F0893238
                                                                                                  SHA-512:2E51930198A5DA863A4B718A3772E88532EAE7C0E2C432618B3306F40AB141B6E7435246FE578AB7CABBA4A6BFC674F690484A27793965A6FBEB542F66BFBB40
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`......C.....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 12, database pages 12, cookie 0xb, schema 4, UTF-8, version-valid-for 12
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):0.9021546589740073
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:2u5C4OoNSN1eN+5NmxdDzWL8OO7QzyO+p:D5PsveM5gpzy8OO7QzyO+p
                                                                                                  MD5:9B68FC9207917FA1B1CC08823CDB8F05
                                                                                                  SHA1:1573CD31F807F30683FB3D109CC1465A0A36F26A
                                                                                                  SHA-256:70526AC993EE081FE429561E7689F7690F5CD0D32C026644C2F7D08245C53CD9
                                                                                                  SHA-512:0798E76CA50ACDD7FC888D34A0CB7FB650564F9D07EBD0CBEE3531C49D2C2FDD2649E4DAF9F94720D79DDA7E71285C44FB8F7A8F9ABB8ABCA422CAB18C345663
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                  File Type:SQLite Rollback Journal
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12824
                                                                                                  Entropy (8bit):1.3835365829154411
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:7M5qcFu5C4OZUlFJNGdNGveXXQXN+5NG1Zb:7A/u5C4OoNSN1eN+5Nmb
                                                                                                  MD5:AA57792FCA66E48E6A36EF033937E3FE
                                                                                                  SHA1:7541794829FBFD9A123BF69582060E40F3F8D8F3
                                                                                                  SHA-256:EEF0FF89DFD2B6EBC98E235E00730091D45883609DE84DC371ACEE0A1504376B
                                                                                                  SHA-512:0BFF8C854898DF993940ED01CB89C556A664A5D30D26AB95F85BBC61F54D96D06640DAD0FDB4830C7B93DAB475991ED71CE94AD5117908926A9BF845589032FD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.... .c......j.W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1799216
                                                                                                  Entropy (8bit):6.5204766374461345
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:JuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFYm:oHmUMohVWpu8ul0UkTgNCfyo3d
                                                                                                  MD5:D066C090D3416A1D082902E0A7EADD06
                                                                                                  SHA1:57B66D2450BC314003510657A6309F9921081EF5
                                                                                                  SHA-256:820867ABD8E1D48A769C6D8F8D8626CB2D9E492D71ABFB47F4BE7BEDEAB93C6E
                                                                                                  SHA-512:F0839808A716ABCF4BB392E4BB1B2D664D004FA519048C94FBA9623481DA87FE023DF94619A184E0F7F91DD02F63BB8FAC1013D09894F000661F438EE631C4C0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................P....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):1475632
                                                                                                  Entropy (8bit):6.7918990024107115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:BS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8q6:gdwXpQdNVNDQubXyi60jXTW98q6
                                                                                                  MD5:E0C12F374C3CEDEED79A92B5279F838B
                                                                                                  SHA1:0FC4F192B32E9FC6C9FF24B9CB3129CDD925C845
                                                                                                  SHA-256:44FCAED823205977E5C1F6654C66EB9F51351F10B572CE6E914F4866B6D7B433
                                                                                                  SHA-512:AF965E825DC88BDBE35B9E7FC4A3FE360E9DE7751EE074E899BBAEF00FAD5158BB9E7A023D5FB79F0562BA4A30648A15C6B4AF363239B82FFC0F72C12BFB1095
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@......................................_.....@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2899637
                                                                                                  Entropy (8bit):7.998716668580002
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:49152:CoZg4oOIjiPA+5uIH3EQVlhRBDhGBJhL3Ra1H1GzEE2q1qT7AJpvG/vlm3enDL:3ZPvM2A+oIH7lhnAgKV1qHCNGHVL
                                                                                                  MD5:19873920E6979231111E46DD7499F174
                                                                                                  SHA1:02141EDAB9CB1332950818E4F70ADF5AF4A8885B
                                                                                                  SHA-256:5E63ECA0E9B28EDF89B1243CBE91D0581EC54312F9CEFE24F2D503CDDE53BFFC
                                                                                                  SHA-512:76F7EF080D0FEFE0495AD97CC98E83DAEE63EBA76DE5440491DCAA388C8EBE3098BABFE6293BAE4C18BDAED981F2DA3D79C66258820C206E554DA882CB3917E4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....1L.Y............6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....0r.......>......v.....PS{.}.....An..fm./7g.+b..>..G\..f.q..n.2.C.\"2;.b.q.j.Z..$.Bj:6...Q^.{.-1.n..hn........W.KkRK7.%.....jq..xY1X...W+..M...!..)..9.s$y1.../..T]...`....$7. ..%..Oe`=pr.=9..0..j.m.h.Dx..<.V;rAQ..8k..(......9.T..e.k..Q.......:S.a...u..U.....28...C?QW.3.T'...........qT1..;....^.w..u.T..7.Xe....4.)7....h...^).=4.^Z..T2.E~%.4...H...].kEc..O.OH.>c.r....4.Q[(+.:%../....n.h.#.~8cE.+b.j.B_....gQ......i....i.........4....Z.l..S..].....,..+.$<*.%..q&..SM.....M.;;..].F...JT...z..1..U..s.xC0s.GL..8.C...@.|.^_....U....9...V|W6.....O...N..r...../..$:...=....p.,.k0;.{...Dh..K....?Z'. .......-....aj . Cu..t..[.8~.@....]{........}.uj.[....E2S~..j.m...F...}.s.F...M.;...`...>...6!...H.,%...pg;.K#...$.].%?4../Du...jf.Z_..b.-Ok...wo......b{....;..T.d....2htU..........W-.zo.Zv.........m...&0..3...N.ZY:B...sI.~..C.2......./...&...a..9|.S}...\.vO+.me~.i."..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29232
                                                                                                  Entropy (8bit):6.342923752111313
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:MpYIrBWGYPHEUePsnhkgGIW7W8feKWDpQNbo1JNyb8E9VF6IYinAM+oCMTW+:yTrBL3Ue0FSTuKbo1NEpYinAMxCcR
                                                                                                  MD5:C2C3FE6C498B463D94DAA3A28988E265
                                                                                                  SHA1:469BA50E5895BE09AD12732F71C5FE104DF945F3
                                                                                                  SHA-256:B6210743704B553FE69AECDBB0647853420F759FAA6EA7C66875D38656B774F5
                                                                                                  SHA-512:B00774DFE64BA90CC4216A0673A8E60CFF4FB5F46CDF142100DA8132956E8758369C185A747D0279B8AD2ABB8B69D6A10C5E2BCC3B65F5BD3077C025D32349AF
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...*;............" ..0..@...........^... ...`....... ....................................`.................................9^..O....`...............J..0(...........]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................m^......H........*...2..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1919
                                                                                                  Entropy (8bit):4.980638040615789
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:327h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:K4cw9n
                                                                                                  MD5:70934BFD2D7659E71CA6A5476C0EB675
                                                                                                  SHA1:9B1611D52D3B15A3EF0A5DB4FDBEF94BBD107379
                                                                                                  SHA-256:24FECC645D7EF3A69CF81AD72DFC95CDFC4BB313FCCF77864C9A47C69B5DD928
                                                                                                  SHA-512:0FA54C94D4A52A95F4A002062CB858222EA64D4FD8E8EF51725A440CCE9F64514DE12DFD60C41435B3B8DBA4AB80363984FD8E8350B5A9B0B75EB90044F14324
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):197680
                                                                                                  Entropy (8bit):5.747369761062569
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Y0zLj1bBKlndsFAQ1DSA8MT2tlwgVrPd+iqiTj+C+5Vw:NPjOlaFAESAewkLUiqiTjrl
                                                                                                  MD5:C0C8815ACF3A7BD323512DFEA1B0ABF0
                                                                                                  SHA1:31C42681964BA6E24578105B30C3A3947641C669
                                                                                                  SHA-256:FB33C644CB11C8A0522E7ECEC9C529EABDC1080D68BD3C21A6EEB3F6FE2FC425
                                                                                                  SHA-512:47BEAA98DF6CF7403E9BCE455964B5C378D303B959B17253104344FC48E14A09AD5889B20D4AAC06C4C1C57F42F5B826E0B71C10F1825FBFFFEEB81D36D247FC
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0.................. ........@.. .......................@............`.....................................O.......4...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H.........................................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1782
                                                                                                  Entropy (8bit):5.026919218581437
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3rrb7h+1/gYoSagFsg+w327RgdSg+CjdgDt:7rn44woR
                                                                                                  MD5:F0A8DACF41AED1B1084D1D5157DE3C8D
                                                                                                  SHA1:02D4EE2B81AF8E9626571EFDA122849B804CE29D
                                                                                                  SHA-256:09C69F2CCC14AD72805AB1360DB7D5AB486D99C5E55DC8B5F54695988811FF80
                                                                                                  SHA-512:A6F1E6BA01179DC9AFBFE04887C288142FEA9BD9A593E54977C7F050A0B0EEA96D26EBE3792038EAD56467AEBD325CF7904F3D2B4206B3FE40FB468437A6C4E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depe

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhU6n:Wtn
                                                                                                  MD5:9EB224135E992B09B71F35DA23490EDB
                                                                                                  SHA1:BA28FC16AE867AEADF9393E19827ABD3F6FED830
                                                                                                  SHA-256:50418B438425C5F8EACCF5FED9838ABA88ACE6E02CFE7A5F739C960C44E03D30
                                                                                                  SHA-512:DB6DFAF4D20AACA9AF2AEA90675F5CE56E6AEE5307682337B7ECCB3D4C3E54EBBF363C3082271A8C2E5EFF9B20CDD08C2B382ECA59789053AF7070B06EABF646
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=19.4

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):99376
                                                                                                  Entropy (8bit):6.18884582497966
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:RlAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7Hxi:RoESpOPptPkW5ihaOdQhfhBk
                                                                                                  MD5:C83B1F5268442EE112B7C5E3ED017976
                                                                                                  SHA1:37641A871CC7661EA4106C750B75168F469E08CE
                                                                                                  SHA-256:A1AD7CA55FAA12FD3F6066DBE283D1CFAE329168F8E6054060CE45DDB28F6F7D
                                                                                                  SHA-512:D763AF85DB80D1CC099ACAA5B36A0269C1F55F5890D6ACA47D6BF315847FF2C07AADCC89CC75DFC19793780963F99A5E1B398FBBA26392C71E9B8D3E0DDE1FE1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ...............................'....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95280
                                                                                                  Entropy (8bit):5.996567781993223
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Y4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsd:Y4auS7S5Ea6WMcpu88
                                                                                                  MD5:9551AEC9EC60C8E51BC17373A6EDF42F
                                                                                                  SHA1:0A130A64216EEF14D9D9EC493526497EB6DE8115
                                                                                                  SHA-256:C191D85B761AF9E439D98D74E8132755D2C585BB82D0D912BF653580DA63F4F9
                                                                                                  SHA-512:C08E5A51D9E81170C6C9D16752AD91F7F722206CD964A4FC1D970828042CADD97949636B8A283FE0DE5972A8EACCA3AA43D1BCDAB2167D09D3AFC8A2A912A614
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...............................I....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.655973367080629
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:+Xh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl5fcbA:+Xh+tYmNyb8E9VF6IYinAM+oCaFfcs
                                                                                                  MD5:4F8732210B0E83C718F6A9D65EF6F7D4
                                                                                                  SHA1:B93A5E21E847E86CC2F8E0CB4075BE40D268C980
                                                                                                  SHA-256:9E174654BB26A7E4F584B02391093AE2DAEFC0700391FF1953A85681CA6B0D36
                                                                                                  SHA-512:2F54F1DA2ED92E894CCB7AB74AD65DB1C5BC6F3E435D7F6CB7488030EE156F11585733A7CD610BB82A421955F8310651A629FF983DC4248E0E0600311116D470
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):75312
                                                                                                  Entropy (8bit):6.2404926502583145
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:9u2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYd:cF+qo7mDEwj4NXLGcfgruFcg7HxR/
                                                                                                  MD5:AFFA88B8F4AAF5C4DF70AE9970CCF151
                                                                                                  SHA1:C059B1773818C6CDFE832DF00C88935D622D202D
                                                                                                  SHA-256:6F7248580551DB8F0CF185EC410F31267938C9A258AE4DBF6B257C1E5A6C84A1
                                                                                                  SHA-512:8FB0E096890594B6D146EFA1CFC72D412B4877C72155C61A19240D1DE171E16023C53C16A25F9BD7092409F08533C641AE17BDC770A437B36C4EA00FF272EDAC
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51760
                                                                                                  Entropy (8bit):6.409108893671757
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:pQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCR:p9MYn1seLE8JFMLcyMH7Hx+
                                                                                                  MD5:A98104308B1333FD329742F6EF90CD46
                                                                                                  SHA1:D086C1B80D611EA3C086B6B7E55989FECEECE053
                                                                                                  SHA-256:B94C520983BE6749E504B4AF7BA32A7EBF62BAE1D2A545961089871B0021A190
                                                                                                  SHA-512:7009FCB089DC756D33121C0E9BD6519469989DF79776457E31F0C913B3885B91C62BC7BB5C5C526D8B3E100671C39636E159CA24A5C1EAE911D730B04741D1B3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ..............................1K....`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):145456
                                                                                                  Entropy (8bit):6.203831545567015
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:cRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIh5:w9XeDmzV2yzlhKLFU1lLVp1+2flYFss
                                                                                                  MD5:4DBE240649359167D2A3D1609B00B55F
                                                                                                  SHA1:07083C6B9A7BAC81EF6FF247969EA985B3C54EC7
                                                                                                  SHA-256:9B35B27D8ACFB6FA7F58586681C76FB65C57FC8589F3C87D502F84D788302E42
                                                                                                  SHA-512:DF43343EC70B90A80813CD47A7237A8054D7095F64757CBD579F91ED19B06931B93A13BE77140FD7C69B7620EAF88BB633CD38FE0112B1F95631101773ABB5C0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...............................J....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96304
                                                                                                  Entropy (8bit):5.633639288713223
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:+2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhL7HxxJ8:bQmyxL2L4D+YZL2X7SAaqywjhLN8
                                                                                                  MD5:BC1FA9EAFDB74D46CD404C564C3395F7
                                                                                                  SHA1:AA153976794C77F741AC9954A043532069800909
                                                                                                  SHA-256:ED4821858F406A49C18C4199B4CB1930D39647186939989A9D721C03BD976F1A
                                                                                                  SHA-512:03F2BF0A5F449706CBA9DA340574CED981C70297A02D7ACD4314E2F4AF07EA4D2D72545175E6104E39BAF6DBFD200A0646D025901E6D34E534DF92EB3997C004
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ...............................'....@.................................47..W....@..p............P..0(...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):308272
                                                                                                  Entropy (8bit):6.107431907158925
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:3Q8wCKFMjHq9bRwkpHNddKmTtYZo4smxTC3LnXNXa35/ZmvYN:3FKFMFySZIBHvYN
                                                                                                  MD5:99C05DBA4F5671C63D6EF255BE907817
                                                                                                  SHA1:4B911454F2AEA144478819E45EEBF6C596B5EF42
                                                                                                  SHA-256:00AEE5E4E7181891BF4C364CF349260AC230602E7DDB8F9A68D2529CD18C4748
                                                                                                  SHA-512:D2D9AB6BA2B6058922DDD094AB3E20027C4932B76C6C0E1B9288EAEF64E6A253DF6AB3EB3EEF714ED87087180AA3FE845E0F64B11EA0CF9DE4F77B7BC30B9671
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\Q..........." ..0.................. ........... ...............................`....`.....................................O.......................0(.............8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H..............................\.........................................{+...*..{,...*..{-...*..{....*..(/.....}+.....},.....}-......}....*....0..k........u......,_(0....{+....{+...o1...,G(2....{,....{,...o3...,/(4....{-....{-...o5...,.(6....{.....{....o7...*.*..0..b....... ...u )UU.Z(0....{+...o8...X )UU.Z(2....{,...o9...X )UU.Z(4....{-...o:...X )UU.Z(6....{....o;...X*...0...........r...p......%..{+....................-.q.............-.&.+.......o<....%..{,................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.838236316522756
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/N9VWhX3WZNyb8E9VF6IYinAM+oCF5W40I2:1G8EpYinAMxCa/
                                                                                                  MD5:6DE9E32CF82BDFEF0961FB2D34652E0E
                                                                                                  SHA1:594F28EC0E264E8FDB9AD5F7DB0E39B09CA829E8
                                                                                                  SHA-256:D6062AAF76E078197C74E6568B1247DE0959DD3474F4AEAD6657C5AB0A818EF3
                                                                                                  SHA-512:2899A6452AE9FDDDECA907591B012FC1BDF8C65454E368FF2F08D586BE576EDB6D96D86D5B2642D6FDD14B2AB67EC54CF7372E85D88850BF8BC9358DE99CD271
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ...............................t....@.................................T(..O....@..0...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):331824
                                                                                                  Entropy (8bit):6.168781225160191
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:7BhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTd:7DMUWITZznu85k8Wdn8KmCjIFi3Vvh
                                                                                                  MD5:80E678BFDD93E7DFE9A707111313D825
                                                                                                  SHA1:16EB28DB750AF24E54335C85EB127B9CBA57FE4D
                                                                                                  SHA-256:1C1BA40B2891BA5CFB8D3F5638D4BA958691487CE0F439E976774DE03A81D7E8
                                                                                                  SHA-512:DA12462EF675095861616C1E106AA908537016357461049C8BAFEC8390AFD715D40D51710308281F20CB54101600BDAAB43DF8CBA81282487B9AFB2CC5E66B78
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......kZ....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):883760
                                                                                                  Entropy (8bit):6.071467644933958
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:J1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ9:J1n1p9LdRN39aQZUqk
                                                                                                  MD5:D6850025902001E49D91F1D1B1E4C4D0
                                                                                                  SHA1:A0DD75E918BFCA1B171CE63F3C3B484FB35ACD99
                                                                                                  SHA-256:7BC658E0A3DF8C016D4CBB3E28CBD64FF0D4FD9F6F681B32A32460ABD347F86B
                                                                                                  SHA-512:0FAC50A006FFD586E86821BBD7B17C602C1EBF9CDB8A0BFF88078836258D1E30364779B92F0A7F1F908E92D66B34EBE95422630F967FE28642798851580EB6C6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................2....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.96040287359365
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:sBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUcO:sBA/ZTvQD0XY0AJBSjRlXP36RMGLO
                                                                                                  MD5:EC8D314B1652E46AFBAEBF3AB238CFBB
                                                                                                  SHA1:898A5BA8E6A1DDCAE0470AF5694FD5111AEFC2A3
                                                                                                  SHA-256:4A292A2ECF89A630AAD219C32C94540033B5C730B59CFC9304C351BAF48A7DF3
                                                                                                  SHA-512:5538C9BA7183CDD88F7C1CB10185DDC5C61B3EF84F4EC66E2C5D44753EB969BADAB370959F65A3B6E1B7396D2BAC08BD3D3E2B020AE36469EBD49B50D3CF0469
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......E.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285744
                                                                                                  Entropy (8bit):6.184647880138468
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:kZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zq:kZU0BJwuOcrl1w7HX3HWv
                                                                                                  MD5:3BC563BD709528CD61D8F504A3CF8423
                                                                                                  SHA1:473AE87186633FC687D6D91645E9FE6481311671
                                                                                                  SHA-256:465C1AE509E2AF00389B645FBB75FEEE7365FC17624D2E9237E6861B8BB30AB1
                                                                                                  SHA-512:902ED07ABBBDEA26C48D8886F5754AD76D68D5177C80B92A326F87A193A7C9F541176E001C624EE284B8E8A2A664CE13321338DAC392D21847646FEF50766021
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ..............................E.....`..................................G..O....`..L............4..0(...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25648
                                                                                                  Entropy (8bit):6.5620339191415304
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:MLAQk7qYbU6fX7pLk5LHAxOEaGdzBSINyb8E9VF6IYinAM+oCcS4jDf1:XRLOgbzBSgEpYinAMxCR4j5
                                                                                                  MD5:4B3BEAFA0EE0C0C857E5D3CAA0785C5F
                                                                                                  SHA1:EC697AB6E0956374F234A39EEA6F83EB04EEAE4A
                                                                                                  SHA-256:EB93BE98B146199BC0E097D1B0EE0B5E89DE7B3CB77845DD0EC0A404D79E3D01
                                                                                                  SHA-512:05498E50AC2B3724AC81C6F834EEB181F3B3706A8377BF6243CB747A344E7D3BE298754874DE4EB041869B4C8B2AA2CDFC8AC36F487644D4EF246BADD644D6E0
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..0(...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*...&...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2029
                                                                                                  Entropy (8bit):4.99666085039448
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3Ar+z7h+1/gYo27RgdSagFsg+w3jdgDSg+CagFw:wr+v4cw9n
                                                                                                  MD5:A8C16947BDB4CB8CF1CF491FDC02B223
                                                                                                  SHA1:5CBEC67AF9B62D270764E5D6C0964881ABD6FCBE
                                                                                                  SHA-256:0F53AF9459BFA13AB9F911AE5FDBFDEEB0A5AE48B209E117321984E409413F06
                                                                                                  SHA-512:791153552D64F1315C42F794D7C3BD9AA90F8C62D547197EB555A9DF6E08EAB1FD93921FC1FAF5015291FDB4A4173137A93FA7964E8003EF70EAD11DE10C2DE4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </depende

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):210992
                                                                                                  Entropy (8bit):5.348412302895247
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:aXLNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z5D6T:ELNkrE4AOqcIzQijLw
                                                                                                  MD5:DE3BBFAA013445B332720DA559F61FA8
                                                                                                  SHA1:7D21AAF19FBF49E758B06DD28C204E2E7B632D1E
                                                                                                  SHA-256:E0064D508B6F9A79D27E5404D414DDC090A52D5AD41016556CAFA973D89CE244
                                                                                                  SHA-512:75581D822D98E1777E052E7EFD8B2C3AFAB7BBAD9B6A0ABDB017818B6349604FF1D24878048EABE571F09211C68EE0F87FA73F3BDB801A8017D4C2DD45E5E9D2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"...0..............;... ...@....@.. .......................`......9.....`..................................;..O....@..@...............0(...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19427
                                                                                                  Entropy (8bit):4.994540973244801
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:hrg4wdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrdOPUDCTHffIz
                                                                                                  MD5:04178686B6E5E58B69F7DFF5C6FD225F
                                                                                                  SHA1:20E38E9E8B6EB9F182729E51710979250910798F
                                                                                                  SHA-256:F260BB0DFFA0C3969D7DCBE480F4502DD8C1696FAA7B9019247EC91C6B9778FF
                                                                                                  SHA-512:18375EA01D4B3F2CFFE413472B7E736CCEF0024A403C920A17D4E0F1A69F06347B80358AFFF4314EC6A5B9A02E50E850F94585CBF379843C07FE15883FBB2D50
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" publicKey

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):284208
                                                                                                  Entropy (8bit):6.1174239058820445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:1ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHf:Xgo0WPVTXg/
                                                                                                  MD5:5C41C8E809BE33643D9D3BAF40868770
                                                                                                  SHA1:525C3E3D7C48A61DBD254B6526EF701F394709D2
                                                                                                  SHA-256:5DA0EF8D49FB803A8CBE8CC8B9EEF48F32C01ADF737F679751239B6BF193652C
                                                                                                  SHA-512:B30D697398D352D8D924F6E94B1FE1519B36AF9A6B8CC022513C56855F680FEA74908D2F6BFD86160CB17848799527599105216F19A3AD3293A614CD3FBDCFD3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ...............................!....`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.810303906948599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ry8+xcexWQFW5QKNyby2sE9jBF6IYiYF8pA5K+oCGUHF1/Juf6IGhF:uDNxWQFWHNyb8E9VF6IYinAM+oC5+Ri
                                                                                                  MD5:B43FD617ADE2F12D5A5DA4BC8E2EC788
                                                                                                  SHA1:87837187C60145E7306FFCFAD18AD7667C1C597B
                                                                                                  SHA-256:090E8BC5811082D668E7834D0A69956195E16E02E4A91BF72B98FBF46C01F44C
                                                                                                  SHA-512:7A9D149AD75D799D71A4D1F8E6E16E3541B3DB4D862D4479745666FB81D376DF6751F30BD7FFE29ED930909F609CFFE389049AC3F6C67A1B8A0D589161489A2C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ...............................z....@..................................(..O....@..................0(...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.67173183600974
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:LlrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAsHI:LlrMcXP6gEpYinAMxCXI
                                                                                                  MD5:4F4631540C1A187A87328A3C26A33455
                                                                                                  SHA1:EC4184E92628A5975BBFBC5C883A246BD07FF46C
                                                                                                  SHA-256:9253E6DF69B66F357DC59023B858A1119153BD1761F8F83CBF375AB5040EDC55
                                                                                                  SHA-512:D16092954EB7B7F0B73013E85AE36D01B0A4CCD178BC804E0C0BEE34F18D85B95AB741BD57BB78792B4C77BB3664E86E785383F4886F3CDFAB2B291C2E4972BB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ...................................@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.90727570833683
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Im2igOWnW8rWVNyb8E9VF6IYinAM+oCPT89clQR4:Yt0EpYinAMxCw9G9
                                                                                                  MD5:04AF1E5528EE2FE8D0E2C9240661DA0F
                                                                                                  SHA1:435875171507B9ED43A0CE168FED149BB8533483
                                                                                                  SHA-256:5D913C43020A9F32ADE24F174250AD6E674B7E5E1D2D194E9A608CBD70748595
                                                                                                  SHA-512:D83DDBBF4C3BD9AD399C988234BD22BC0502135786DE94C09FDA2AF96F6C199DBCB049135111E172C75DC1B6A86A0FE9AEBE805AE0AB1595D5F8C7F99D8DC690
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................,....@.................................t)..O....@..D...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.900100834273744
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:xnapn1iwwPWcGWvTNyb8E9VF6IYinAM+oCagmKtFWT:YDu3PEpYinAMxC0qQ
                                                                                                  MD5:561BD5749A37BE8B5456B477DD2A9ABE
                                                                                                  SHA1:C5A08810D97A4AA7968F63F11140B471BD8186D0
                                                                                                  SHA-256:AB42500F2E9840B11FDFCC593087164263A9925D649012C360E129AA1FB44249
                                                                                                  SHA-512:60E6236E860C01D912F46F7D72A0667AEA20622C4BBD133E8A5827A23E40D4402DA0EC4D1C499DA69737B62F2789A840FAF7ADD2859A366312D003AEC762478F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.909092148900759
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:0HLaEav5aaUa6arWVLWwNyb8E9VF6IYinAM+oCg3KR0m:pPv5t/NOZEpYinAMxC8y0m
                                                                                                  MD5:B27DC693D37DE1FEE4C400B0B9311038
                                                                                                  SHA1:FABC7D3D07D253DD6DD8E9956547AF9A98614231
                                                                                                  SHA-256:A6AFE6EEADFE54E0A578734FF2F3169935C3D00D426B26A3DA851B7F5AB411ED
                                                                                                  SHA-512:2872AB1291F19B95BE680DC3449ABF1494E7CBE3E24EB15D15C5F3D11F720EB6B5E2DC2088A8EF59B8C4446E188648B344E11A59FD80BA2AAEE7EA4E6B54351C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................]....@..................................)..O....@..P...............0(...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.760910226841751
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:y6iIJq56dOuWSKeWRNyb8E9VF6IYinAM+oCHDRxQFj4p:kiA1EpYinAMxC9my
                                                                                                  MD5:03BAFE2B0D9C25FC8389BE1D2823A249
                                                                                                  SHA1:5DF8A0DF95DF2903431EB43A39547348B2CB8296
                                                                                                  SHA-256:4849FFE52696C4D702AF03AFAFBD98611CE4A772C0003E674FED6E9BA8E71B27
                                                                                                  SHA-512:6B1D6933B443431C6C59B415C0D2D2E04AFFE7398DF9957E016EA105DEDCDB4D1ADA74AA1CB5817B568D2843CB642FEE287CF3DA2C6C43DB1EE6CD89565F6561
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...............................o....@..................................*..O....@..................0(...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.8160199063054066
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:anzz+MpSaLWW0+W1Nyb8E9VF6IYinAM+oC1JGQ:8puxEpYinAMxC7L
                                                                                                  MD5:99288A77139306B255ECCEE6E04FF5E9
                                                                                                  SHA1:0100D47BD44135FF86A8A5CEA2E10480BC7CB638
                                                                                                  SHA-256:30E35ADEB88183F7295D966CAA6677760945C874FDB60DB7351634D70D703093
                                                                                                  SHA-512:FA633652D1106618EB8DA1F3336E5E599D83F66535ED2D004EE221580FA1CD8C6DBA31C752F4377491FF858C975BCAAECF7CC6D7F73A6A7FA2A98FF582A656DE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ...............................h....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.862739539471698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EGhr+YUfyHxsW/HWZNyb8E9VF6IYinAM+oCVUtE:zkmoEpYinAMxCH
                                                                                                  MD5:4B1F70EB3EF0800B380DA8EBB2455838
                                                                                                  SHA1:DBDEC83C56F182B28BBEA493042CA7A476E250FB
                                                                                                  SHA-256:095C883C0CC8B4DE5CE315FCA97DFF863830B7FAB09FF68ACC0936607A6FBD52
                                                                                                  SHA-512:04AA63D67B5CB58079ED51F0AC2C7CA0A9F306FA8EC306D817220A2C1D794B26E74D1CD24A2F9A2B52628DA338F3E5203E64A688BBF163C88EF4BD108B9F7925
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ..............................2.....@.................................<+..O....@..`...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16944
                                                                                                  Entropy (8bit):6.792287006749931
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:IRE+ruiA5vzWeNWkNyb8E9VF6IYinAM+oC4XjFOGm:IS9bXEpYinAMxCYIGm
                                                                                                  MD5:025AD1826825E19E60449091675EBFEE
                                                                                                  SHA1:44D15D48991D974E209014DA108B9BC5BF0D96A1
                                                                                                  SHA-256:CEF0F0DDF6B6C2295C0D70D48ACAC3F9CD956C40A1B814CC573CD7840E5093AC
                                                                                                  SHA-512:15F78E9FD8A6E86B030FFCDEADCE9D50B01E46BEE83ABAC40F4AA880A490606361A346517A5D34897B83758388C888E93C4EE7F621F13F34B59440BA3F7BE70B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ...............................Z....@................................../..O....@..p...............0(...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8527441270087515
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:4T+6ywnVvW0LWoNyb8E9VF6IYinAM+oCczSBu:499tEpYinAMxCLu
                                                                                                  MD5:0F1F604FC675C153112AAFA7B3CD35F5
                                                                                                  SHA1:26D84373B4E998F26E80DB7292BA3AFA3F2F4D03
                                                                                                  SHA-256:FFDA559466831113D81540B0CC06F959D8771777BC7A9DF50167D8B3390A3900
                                                                                                  SHA-512:B3BDF3792CE2D7E1CFD051192D521BDB8CCE99C07EB6A90951DBD8E410FE05A16FE123A40F3E0C6F63D2BD9E3E31B8633FC86D355F9E3448CADF8B2FB553BC4D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................e.....@..................................(..O....@..................0(...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8485217436146
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:YRbzriaXT+WlEWENyb8E9VF6IYinAM+oCri+trE:O7icWEpYinAMxCu8o
                                                                                                  MD5:7699FF017862D54F706B757522EE436D
                                                                                                  SHA1:56415E9BFD5D530AFD751B7DCA35DB2FC7BC4FB2
                                                                                                  SHA-256:9DCB4C285EDB926A2E8F808EC6550D9589C17EA77A2AEAD4239F2B0F14B1E32E
                                                                                                  SHA-512:18674E269C9BEC0472EB7075310730C4E2239AE27DF237F79C73AD5E3019F10372963B689438F5A177881E3883D5B04B6261BD0742324F79E33362B57DA41CB8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... ...............................0....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):148528
                                                                                                  Entropy (8bit):5.4178270851166594
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:6HOdYYWg+GImdMEGK61wb5nx03LBblQ6Ndk66byYSI4Zki+BReD4pK/uYxtl+97b:NdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+9/
                                                                                                  MD5:E0FDFE274C85F41A36708549F567DC66
                                                                                                  SHA1:AEB7C489BCF2644B22B84F9914F4A6B89A9920D5
                                                                                                  SHA-256:5085A0CD0657F3ECB227B9F87AC760A34D445B211FE39F72B822218E4974A739
                                                                                                  SHA-512:C44C5D0BCEE4DB63A6B4C73B9D663073DAB59F8AA9697DACEA5F46A0BF311862DCDD7544014BA64E4E967995EE3796BA1C340CB7FF5764112858BDDB0062FE91
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................5....@..................................,..O....@..................0(...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.812160470049198
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:NzNnzx7FWjYW5sHNyby2sE9jBF6IYiYF8pA5K+oCGUHF8oymiaaJDRY:hRtRWjYW2Nyb8E9VF6IYinAM+oCItW
                                                                                                  MD5:B0F3F032F7825DDE1F13E482B4CAF38E
                                                                                                  SHA1:6CF6E45C2982FCE84F6817FD0CCDEA147BB207D5
                                                                                                  SHA-256:78502357C3FED85000D348121D62BA9B5927C14661FC68D7E37E58B5A466B702
                                                                                                  SHA-512:2C248BD3D4E19CAE045DC8D6B5ECFE46C96A46AEC10BBC9DCE57EB31CC631E544D912C2E41744E64632F96784527161E4954C24687469026821C976D3733F3A9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................3.....@.................................x*..O....@..@...............0(...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.894107837143539
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ReWnoWXNyb8E9VF6IYinAM+oCG1+MShLbGq:RntEpYinAMxC1Mvq
                                                                                                  MD5:6AA890B1CA29BA41BAAB4A86744292EE
                                                                                                  SHA1:6E28910CF5A08784CA5D76CCF855721B94918A44
                                                                                                  SHA-256:5FC6CA69B09B584BC118CABCB04128AE83371F1D19D53B5F1821ECDF2D2C859F
                                                                                                  SHA-512:4BA4CC53D223E6D1C289070E4191393448F698A78E37402AD09203651A6B66D145B56C82EE8F0E82EC9FCF99E02A7BEDB4840A572D472D2518DA08E0E05CFAA2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................!m....@.................................X)..O....@..$...............0(...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52784
                                                                                                  Entropy (8bit):6.247628824459115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:pC5mb2//6hDjsgXj55UJ6DwrKts7EK5m2yFVBg6WZZjbUpUhDIEpYinAMxCMy5:pCYb2/CRv5M6jtUZjQUh17Hxb4
                                                                                                  MD5:C001B77796CB926BD9DEC6DF5A7D9445
                                                                                                  SHA1:123CB4FB6E2CCB0CD05C738497BFE132E5928C21
                                                                                                  SHA-256:E9B7F862256ADF23BEDECFA8607540E3AFE5FB9D0AC23925E8FAFAA0DC8661D3
                                                                                                  SHA-512:77643527B6E5C35A47DDBD8F5667121A9432A87E7DE21280B669228FE398DEBA79524A6B77EFD3EAB0A4F5B3C451E25FA3685E3F14E509E741C1FD30339BFD8E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ....................................@.................................h...O.......................0(..........0................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........I...l..............0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.853814679304912
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ZxGxIZWJjW55NNyby2sE9jBF6IYiYF8pA5K+oCGUHFykqG6:Z6oWJjWZNyb8E9VF6IYinAM+oCukf6
                                                                                                  MD5:2D1E64C6363F520A4B09EE67CA44BBE0
                                                                                                  SHA1:A1D1CABF2DC5A03B193A435ADD236438C3FD5E0A
                                                                                                  SHA-256:32F80F2FD7EC40AB166D32F9718C6F52F024A4C16A410B95D26CB83B2A3457CF
                                                                                                  SHA-512:AC2662EF95C75FCD79525A0219B598EAFE0EED22E3FD6CAC1C024F37E095F0668DBE529020CEA1383EE7AAAD32C5C4349544EABE23199B9AAF70BE053C20DA59
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@.................................H(..O....@..p...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.775913255662062
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:zqk53/hW3fZ+zW3Nyb8E9VF6IYinAM+oCjF9:zqk53MXEpYinAMxCP
                                                                                                  MD5:05A320B376EE93BE8E3E26A2CA823B10
                                                                                                  SHA1:4F02AA8E1741C094813C08F66B17D61263D437A9
                                                                                                  SHA-256:422876979DC3BDE89C3AEC38D43C48A3DFA80D9446748E55EC26AAAA195744B6
                                                                                                  SHA-512:177F6628AF9F0808B8E7A4F8C7D12F5AE45A829DACD10E531A27FD5C150FD3FAAB5729112AD75B8E8BE5DB71C6D1A0A4559BF522D5A90DA1749CD5A25735013A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ...............................Q....@..................................)..O....@..0...............0(...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.661314849678409
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:WFCc4Y4OJWfOWqWWOWyNyb8E9VF6IYinAM+oCwOS/D:2CcyCCEpYinAMxCOD
                                                                                                  MD5:244105479AAE00122795AB55C02D27C5
                                                                                                  SHA1:4D02969813A1EF3816DA8EDE3740E3A448380D43
                                                                                                  SHA-256:9F81EDA0A759D7681C42DB5FA8967CEC5350761E14E6FBB998709C1D3FAC3BC1
                                                                                                  SHA-512:74F5EF78035495A409BD02A7F97F54B71E5E5929F937981B02FA5E1147B2F493B32339B62456ABD0D3751FA7C955B168EE849EBB099DAE7E9CE84A8C3CAE307F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ....................................@..................................-..O....@..................0(...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8760364981132405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:rlTx93aWxMW5VwNyby2sE9jBF6IYiYF8pA5K+oCGUHFwPtrnPi6:PAWxMWANyb8E9VF6IYinAM+oCMPtrPj
                                                                                                  MD5:76011DDB6222C1DDF8DB8DAD81822DE2
                                                                                                  SHA1:98E59A56051E878AA59574CB18312E3C4DFC814E
                                                                                                  SHA-256:B6B4BA9E826F30B91768844A9C6B76F6CC5A3342CAC2BF86B0E94AD5EADD4840
                                                                                                  SHA-512:C4C07155FA550C878ED73C9C101787093F73110F6B1C7C90FDE931DC453BD6EE4E63211E764FC39ECA2F0B07DAB437CCB6097BBEA4D2E6975A5BD759DADA183A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................>....@..................................(..O....@..................0(...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.855299035225063
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:sYqArxbYWHaW5uiNyby2sE9jBF6IYiYF8pA5K+oCGUHF2zfxGLNDPIh7:6AlcWHaWBNyb8E9VF6IYinAM+oCyoxa7
                                                                                                  MD5:6763462D500565BB723D6AE7DD376177
                                                                                                  SHA1:5BA25C0C7F2E66FBC00CF752EACC0F0757ED69F7
                                                                                                  SHA-256:E77307BFEF76BEBDEAC6916FC6051CDB8C7CD5347660A0A2FD216C0021A4FFF3
                                                                                                  SHA-512:34EA0E54D86A6E5C588C164D5A13854F9C133DCB5E59E1D5123F3E041EA1300DC327ADAD16AED58D3F455AF6CEF5CC04D8C6C65791D2B501FED17752A731B990
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................I.....@..................................(..O....@.. ...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.778616544811202
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:lGIZnWlNWmNyb8E9VF6IYinAM+oCpcstTLAF:cUyxEpYinAMxCPYF
                                                                                                  MD5:B2385B0E04770B808F5F51B4F267DE63
                                                                                                  SHA1:DBCCFFC5F25E153512F4607827A1DCB0672DB7B7
                                                                                                  SHA-256:7377730E697EEA5E6FD7A9E91B4967E7669D9CE6EA9B0C9DEAA3A219C1381BE0
                                                                                                  SHA-512:60D576EA65C7FCE3D3F65DB2EC3D8CD14C833723AC5C56D1F299608E63AE520A0AE8A099EE48D883377C333E31797FAC108584C98ED6E577CAA8929D58E92BAD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................oR....@..................................)..O....@..P...............0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25648
                                                                                                  Entropy (8bit):6.495901336244438
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:UlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdW8Nyb8E9VF6Iq:SQq33333333kX+TBi8rEpYinAMxC/L
                                                                                                  MD5:5F4C0B3A7F2FB0DB1B1B20969BEF7168
                                                                                                  SHA1:CD470977A3442AABCCB143FA078839C5078D6AB6
                                                                                                  SHA-256:A5DAD8CC289C2E342FD57F2153BC1B704CDDDD42C508BBD737765348B7636A3E
                                                                                                  SHA-512:EE8938258AD481225DBD44B9A56A62FF19C762B200A23720630629553EC386B1D0F999C73F6D949969353A66994E860EDFCA94A18154F32354B98F400DDAB925
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ...............................%....@..................................L..O....`..x............<..0(..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.852030061615908
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:l28YFlXulWY/WnNyb8E9VF6IYinAM+oCKD9B9:l0q6EpYinAMxC2
                                                                                                  MD5:40EC51C679114A8554D35F8EAAAE33E9
                                                                                                  SHA1:F550B24B07809FD1BCF258A84958FE56630A89CF
                                                                                                  SHA-256:1D1044444D0DE0F9D48675C6FF61936287518356DAD7CD2616C0EF0F04E20AEA
                                                                                                  SHA-512:235A3BA54BBE957166B69E436FD0F57F52250E53512839D0A7D072F4058B246F6E8EED5E09DCB2DCD48F8CC13AE1DCE4EF2602B7BCC4AA70BF1B9D41E227E9E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............0(...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.729765410025899
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:yuMLcdQ5MW9MWBNyb8E9VF6IYinAM+oC3a6sQ:fOcSpLEpYinAMxCkQ
                                                                                                  MD5:098AA5F5859D20B7719F6CCB4AB5FA3E
                                                                                                  SHA1:5BC4ABBF4605C74475690DA70379086462408B42
                                                                                                  SHA-256:E01AED7DF04EA4C2F66294E2C38D19FD2559AD2CD91AB30175FA574971027B85
                                                                                                  SHA-512:6654A2EF0D54C94BCDCD45412997DD0CE2DBE0EE7675DF47AC7D10DD9A61A0DBF3A00A7E96E468FA0996BC51E2CDBBEFF45EC9FA75101E918FC14F6F274BE030
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ....................................@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.817127728987462
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FZ7RqXWDRqlRqj0RqFWVNyb8E9VF6IYinAM+oCVaX/:D9qKqjqjuqOEpYinAMxCk
                                                                                                  MD5:9C9C0184972082224CD5D3F2AF6E0E77
                                                                                                  SHA1:D0D7C46D04D6DC7264E5C6BE53CA34DDBCD4FE58
                                                                                                  SHA-256:B2C0A24B2757D61DBEA647EDBE2D9FCC142846EF146D1654258C7D45914D5CD6
                                                                                                  SHA-512:E1CB8A9BA85ACD7CB8C10E2A922CEB49D2FA0E01EA0FFEBB742B5571FD8BF857BE8FD702D891C3C75676CB4B861091FA7EF8D095D23B3CAFBB828B286F1FCD0C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ....................................@.................................X*..O....@..P...............0(...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20016
                                                                                                  Entropy (8bit):6.62945691310315
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ANBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9WSNyb8E9VF6IYinAM+oC3V1rD:AvMhF2SzNzwu/NljuREpYinAMxCj
                                                                                                  MD5:EA13EEE1E8B3A2E19CF2AB5BDE0C93B8
                                                                                                  SHA1:8FE61EA0D50065AFC142C7CB594F5D324991E639
                                                                                                  SHA-256:18E32A5B970F01BE86360A233CD484F3FF3C4D2CAF175CCDF6AB0079961419A4
                                                                                                  SHA-512:7E0880BB0CC2964EA473CA0302270605714F36E43A9FF60A9C68396C9B8240DE861010005521490F3C19A7D35B0334792E3DCF6F2775F42A0CA27682358C8DF2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ...............................V....@.................................a6..O....@...............&..0(...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.901409880946083
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ubZ4RLWdRfRJ0RZWuNyb8E9VF6IYinAM+oClyR1Fk:ubZK0pJu5EpYinAMxCo6
                                                                                                  MD5:7EDB4DA2D07025A04DD098A07923BBBC
                                                                                                  SHA1:C6D556324D9DEE8FE9D8DE68841634425924789F
                                                                                                  SHA-256:042C0F918096612422011D42D0A3E22757B57457E8677973BDD4E5694C0226D9
                                                                                                  SHA-512:0D47E6CDD8DDE2FF5F0FC26745A434995DAD39D1D6BB5766D93B0635CA6DFD786B9680054B48AC6C5ABC3AF79C55E2C16DD2CFB1D621BAF1145277D8B8A60BFC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................0(...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.798639249065837
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:0Fx+WTIEfW50ANyby2sE9jBF6IYiYF8pA5K+oCGUHFz9ZITneu:UYWsmW5Nyb8E9VF6IYinAM+oC39mrt
                                                                                                  MD5:DF12986E7A5DFF2263354737C9436809
                                                                                                  SHA1:A1B4880508F135C4BF5FAEBF479424CBEC8FF342
                                                                                                  SHA-256:BBC06214E5835B90D0054EAAD5F80FD40BF43CE4A29E99AFFD12AED7E567A938
                                                                                                  SHA-512:F6EAB6C15A452D1F6092435A3369359F5471609DA1098F26EEC6BF8968C8865009EA03DF5AD886275D90D5D242D68F15F1C0ACFCB66015A735E9247CC5779E01
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ..............................au....@..................................'..O....@..@...............0(...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):105008
                                                                                                  Entropy (8bit):6.382307221380866
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:kvc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXW7Hxcb:kgk1tiLMYiDFvxqrWDWNoJXWKb
                                                                                                  MD5:81A43DF8AD73BEE719B131DEF479F5CB
                                                                                                  SHA1:8ECB4E33C8E2AC7D30BA37B1D4B12331E8DD9F9C
                                                                                                  SHA-256:5282224AC49FD93AA4E5731F8D23D36A0BE8830E1240CE803A94131B30F269DA
                                                                                                  SHA-512:B426CF15D47974CF2AF37AC322C6DC956ACC647BA67641908D20BCDD0AB443C50239AD0A563D998DBB6A5AA5684AAB2AE7A5772922EF81B0FFFEC5970EB3E223
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................WV....@.................................5W..O....................r..0(...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8542726522556805
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:AKcuz1W1cWMNyb8E9VF6IYinAM+oCLnrDoqi:Qu86EpYinAMxCbs
                                                                                                  MD5:0E639C40291252B6B94BD56C8C2E4A2D
                                                                                                  SHA1:30A19A37E9972AC4D10E578E314AC286F9126045
                                                                                                  SHA-256:C4B9D13CFC96C03B2A1078B76155CF8C93D27858EFAC6321028C307FA43760B1
                                                                                                  SHA-512:819B1AAD6958F96D4A0FCD4B48228B8D4A4FE24432FF706DE69C93E96AF1D03814E8F0A3065B3B228A77DBB874995454A271237F87D94279CB896C2645424A7F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................&....@..................................(..O....@..P...............0(...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.864879066460218
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:LpXYpxjSSWikW5I0Nyby2sE9jBF6IYiYF8pA5K+oCGUHFUd79eOJaZWK:Y+SWikWBNyb8E9VF6IYinAM+oCAd5QUK
                                                                                                  MD5:D81808C4239C950E30821393BE815794
                                                                                                  SHA1:84DA8F3786D0E8CA360848716E61CAEB059941A2
                                                                                                  SHA-256:42B58E52682733FA8F505B784EBC3CA7C7E8C529AD6025AA324984E47FE0BCF2
                                                                                                  SHA-512:F0D869406437F20B35FB536319BCA29C3DFB914342AD2497D931EDB7B742424C19AD92A3FB985AF14172CDD7BD36BA6B690642A17578479A8AD0DD80F2E781E9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............0(...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.906247186393836
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:QDxxhREWzgW5mGNyby2sE9jBF6IYiYF8pA5K+oCGUHF76amamyTds:kAWzgWlNyb8E9VF6IYinAM+oCXE4O
                                                                                                  MD5:1E5980ABA0E632BDAFAB1AE983BC45D6
                                                                                                  SHA1:E6C5185B87C8665D9035C85EE43076A522F48035
                                                                                                  SHA-256:8D58C4BF0AE55D775F42779631467A370A335EB88BE978F0225D7DB220CEAB6F
                                                                                                  SHA-512:2E6D6DBC48CB7F54E34BA964AC9E8BF23D4D70FE0DE2B1698B3BB70581B80E9CFFAC956C9508C890C7450AEC639DACE1FDB7BEB31DB0B96885D8904DE9DF9B85
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................=....@.................................p)..O....@..@...............0(...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.863001513688545
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:7BLRWbYWAjNyb8E9VF6IYinAM+oC7c/T/b:7B26/EpYinAMxCYLT
                                                                                                  MD5:9A3283DE5A97F5B005A4A9EBC5CC8462
                                                                                                  SHA1:23F8985BF7970358804441DC8FA7B4FA3108F735
                                                                                                  SHA-256:12066B4AF070977FDAFBAE7DA3EF6BD23E2A4D72FCF4F2811B7D1F86FC4548C5
                                                                                                  SHA-512:25A177E266B8A83CC959BD154DDE33452FBB09A9F754C571195E281C536AB0244C47C35C019E4DE47989A0EB56433A630198B905919C06F71462A681F36C115E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ...................................@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8559103413814135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:0ZxcMRW4/W5x9Nyby2sE9jBF6IYiYF8pA5K+oCGUHFyF5FwNi:QHW4/WRNyb8E9VF6IYinAM+oC+mNi
                                                                                                  MD5:61267F80038F9F92D25E8A4AA6699D71
                                                                                                  SHA1:6657E4B501CF6DA418FA48D2FF355FB5F841DE43
                                                                                                  SHA-256:2669F22BCDF69F2AE9111B0FC4E0672E227A751F67F0E4302E25B656C40D4E2C
                                                                                                  SHA-512:4DDF947DAF9B46DA0385D07C72754C386905DF18A267B8E699AF5EB4C6F4C84481539EAB182D80B42F9823D766D5BBBB2AB441FE13EB588345ABDE0F82E324C4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................5.....@..................................(..O....@.. ...............0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.9120881175384286
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:2YvkRxpHWmCW5O7Nyby2sE9jBF6IYiYF8pA5K+oCGUHF69Sz:vvk7hWmCW0Nyb8E9VF6IYinAM+oCuEz
                                                                                                  MD5:4314D483552C965E658C7C58929A8D6D
                                                                                                  SHA1:DBB6F9A41B8DE539BF082B26CF9367346FB32B3D
                                                                                                  SHA-256:3A464BD5D7D29694A52A84EBD32D57F6225DCF08F392993B041EF37AB17171D5
                                                                                                  SHA-512:AA1DF698A6923F83A057E48FCA8E811A2F1C0DDE698C6C40480187F0651C9F2BD384BF6090F95149F3D2BDAE9FAED36EE1B1EAEB23BF909FD10F8B5A40B997F0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............0(...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.875758648591913
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:CUiW2xf+C/WCUW52DNyby2sE9jBF6IYiYF8pA5K+oCGUHFLZioEt:gGMWCUW4Nyb8E9VF6IYinAM+oCRwt
                                                                                                  MD5:E3B700A74640FC81B9CEA927D121C2A5
                                                                                                  SHA1:9B8C917E4D7C673AB043BFA615A077D8FB49AD44
                                                                                                  SHA-256:C11438FBBD7136B75F58B2EE21DA25827B814257A5489AF3957901B37BE876C7
                                                                                                  SHA-512:8E7B9AFD381EA16975E8C92596805523BCDAB80CE64B71EFB87C91C402D9C017DE543E074EE2517B1866E6783D972651A8E328C66CD60C3C69C93B74B6DF3167
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................'....@.................................@)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.857054298846541
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/BhwI7WSQWLNyb8E9VF6IYinAM+oCCtgMW9i:/DwIBlEpYinAMxCvw
                                                                                                  MD5:4214C8ACC40CE0164D9EEA22687CE0EF
                                                                                                  SHA1:1F156837CCDE47CDB77BD919C6C781FC775E02CF
                                                                                                  SHA-256:8AA7AA16F30C28D46C97925EC3A967B6350BAF257EC49C3DC031F535D884397C
                                                                                                  SHA-512:B59A35FA0A41AE721E1F143317934A5A3E380245993A1A370AB31CEAE3150AC223A5A53B4AA43247A632DE13BBD91513E2A1E89D5FD44C20CE757D96C25E79C9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................o^....@.................................l(..O....@..P...............0(...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.870890431174606
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:kNc/vlxK6FW4lW5TYNyby2sE9jBF6IYiYF8pA5K+oCGUHFLKKPfewkKCi:SyvPRW4lWaNyb8E9VF6IYinAM+oCnKeP
                                                                                                  MD5:39546D501824B31001C237F69672EDFB
                                                                                                  SHA1:B7A4EE51B65F2A52C2B0A1557FAC4A6B86571544
                                                                                                  SHA-256:D86E70FB7EDB31E59242E5ECEC1617F83928025B243158E17E100F5EE06734F2
                                                                                                  SHA-512:56F776BAB2BBEC01B43AADED0414085A52A4687F6E78393CC556F75D3C13726A3D71FAAA4D29D28645BF97D14CF9D773972D413D2553C8666BE260714E275779
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................0(...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.824226980431581
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Cnhp+J2sx/5W6eW5L2Nyby2sE9jBF6IYiYF8pA5K+oCGUHF9IAvnnBArO:k6RW6eWoNyb8E9VF6IYinAM+oCiAvnv
                                                                                                  MD5:7662073D5C9F5DA86E7BB16AC01EC465
                                                                                                  SHA1:5908E08B51C311BF941FD3E8D7494A43EF556707
                                                                                                  SHA-256:E110DFDD5440CF6A8945309477298DEE2D12F6B52E9E80213E817E04E457BDC9
                                                                                                  SHA-512:608CA6B3FE7EB302E044ECE43C83A41F437820CF743CC5E4D8A3C02209E9B607C699B02D7F67D8C47C77DFF453C26138FF2F26A2E52E83662DA34279DDC04F20
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ....................................@..................................-..O....@..................0(...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.857337169237656
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3SPuxFp9W70W5pjNyby2sE9jBF6IYiYF8pA5K+oCGUHFqR3O0iG:3SUP9W70WTNyb8E9VF6IYinAM+oCu1Bd
                                                                                                  MD5:C7475AA5C816671F648950C8B3D80A50
                                                                                                  SHA1:5C016A103034944586FC1E427D413BF7ACD32934
                                                                                                  SHA-256:DAF45389137134A78C7918837084C67EC020BA4D4B6326A9C0167A892B0BC6BF
                                                                                                  SHA-512:53E0A144440F15949D5881E3234E248099D518CDE6424CEF9A71351DD141A0329A012FC3BA36E361C61A8AFED28B5FF7B8D65A161681D3CFC4294E2401588D79
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.850913897976473
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:838yg07W0/WFNyb8E9VF6IYinAM+oC/orPM:ABH0EpYinAMxCAQ
                                                                                                  MD5:06188251B3A1A875394711909E08FB58
                                                                                                  SHA1:AC3BB0E100B209F13EBD3D1F4541DBBA86380C82
                                                                                                  SHA-256:63E55277CA37F86089AAA1EF548A829EF3C79F7903ED90CD2A87A5A36CA05560
                                                                                                  SHA-512:C13D22C64CB6EE3E9B6128876B2C5A008E5C0A8FD70E4BBBBFEAF6A8B2D9361A428673F44AA5BB3FF3A255EFA0AD4362B234AF9CB128D6FF6C9EEF18C88777E6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.816246694368643
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:queAxQJ4WmRW58/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFOq9gyBs:we1WmRWaNyb8E9VF6IYinAM+oCaKgb
                                                                                                  MD5:E6ABCF274EEE36629C345B9AEDF26554
                                                                                                  SHA1:187B7F5B3166740895FADF9D213389366B57430C
                                                                                                  SHA-256:3ACF086B5F0CA5198B97501853AA4BC9C39EC48B420157C55CF166B73E8F0F36
                                                                                                  SHA-512:E8C740F7695798102E37EBB1419A8E7CA9601B37930F2E446B4AF01277B8D28D732CFE9824FC3911EEF43C08D6E3732C8C7F3E03A1D04798B1607DDC2FC07120
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................$v....@.................................p(..O....@..................0(...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):142384
                                                                                                  Entropy (8bit):6.161479044620922
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:SUGrszKKLBFa9DvrJGeesIf3afNs2AldfIQh:lBFd3/aFs2k
                                                                                                  MD5:A43365B5967E6019BC635070BFC1E909
                                                                                                  SHA1:F7C0912954D447DB22A06AE3E322C1AF718B41C4
                                                                                                  SHA-256:EE2DE8A438625A5FAEE72A26BBFDB9005473B7FCBFDF5B0D114FFB113FC4E884
                                                                                                  SHA-512:4C22C5BFB7828BE10074B4D52CB44B2BDE25F9007E01CC918FD538B6EDE72577FF0E54E93D33A5FFEC25FD84D00512E99E7D1FF8249E92FBF7A38F263BD4151D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......<V....@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):192560
                                                                                                  Entropy (8bit):6.115523408722963
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:xeruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgUS:UW60VcTvakcXcApOG
                                                                                                  MD5:8DC9C3A2D3770FBCCDD2D25266CF69D8
                                                                                                  SHA1:07C4CBFC3F406B65FCD917B178B497B2F787409F
                                                                                                  SHA-256:A1C0B1830533EDFD5A02E16D5C20227CACA3FFA8485216142F056D761B95A05A
                                                                                                  SHA-512:865CAA63FC175E74EE7572886C37DF90AB2EFCBF76536A5B9B188E4AD3C7BD6C714B6713202F3C716CBBF830D28E8C54A6D17FA1A634267EBF3C0121F10E41D8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... .......]....@.....................................O.......h...............0(........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.840129577582069
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:oCZsxgyrWYLW5lSNyby2sE9jBF6IYiYF8pA5K+oCGUHF5LxLCiLv/Z5:os6ZWYLWyNyb8E9VF6IYinAM+oCNNLPT
                                                                                                  MD5:21B5CB012909AE25847697B060BA8B50
                                                                                                  SHA1:08182D897B6176818C15CD68858D7EDCDBD5151E
                                                                                                  SHA-256:60CA68678C435561216B95DE986225D0EACC7957822781DC709E142A23E96AEB
                                                                                                  SHA-512:AE94EC4E5D6B339526045FF29DF7099D8E59587D1CCC53434A0C775A9D5055EF5402335F302ABA71DBE97BC88F7A49B2F8798944413A98DF38EE0B60C95A2C7D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.791178572741935
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:jk14xPxHWMQW5YGNyby2sE9jBF6IYiYF8pA5K+oCGUHFKHdLonB:w1W1WMQWrNyb8E9VF6IYinAM+oCuHCB
                                                                                                  MD5:03B4C9F4BCC57182994AC8F1FB30D357
                                                                                                  SHA1:E2154538A6F7304438DFC2B86D05998EBEDF83AC
                                                                                                  SHA-256:632E7F3C2E848A6176BF159EAC25E8025471DF3AF565749991DDC0A72BD08F58
                                                                                                  SHA-512:125C8D889B7569CDBC2A5E10B483984E08C66461DA9FE9DD8A26DC6401913720B448E44049ABBD2D0C4B4825C3D2480A13D5CB70942F3DA037C6A155071D2520
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................]5....@..................................,..O....@..@...............0(...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.834812088864677
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:FQ/rx72WSKW5xjNyby2sE9jBF6IYiYF8pA5K+oCGUHFA/kq+rop:2dSWSKWvNyb8E9VF6IYinAM+oCsF+sp
                                                                                                  MD5:B94C0D55F9DEEBCE0AE518A7C1FF7FC9
                                                                                                  SHA1:CB0D9783B75CEF6F6646456D1BD1FED6CFFBA6E0
                                                                                                  SHA-256:826FB58946DB883EA027C648AF51456B2DAC02D82C0640F6A3D47F75F60F7E91
                                                                                                  SHA-512:71CF72886EA82807C41C33A4BE8F4E3EF96AAA8FE0416BD679DDDDE5FF9B299FC04105BE35886598C37EBDF17D8FCE77B8C12726191CF5CC7BE2A6F42BDD228D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................r]....@..................................(..O....@..................0(...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.749123657530473
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:iJEYA2WkIWhNyb8E9VF6IYinAM+oC1IZ328LQ:iyYA8vEpYinAMxC+ZQ
                                                                                                  MD5:A26A7355A0F869DD740F8302E696FF25
                                                                                                  SHA1:B1FD9DC4A90A4143774525C4554957176402106B
                                                                                                  SHA-256:518C1803C8DB6875BF335151F892E34DA725B121B7F7617CB1866956486592AC
                                                                                                  SHA-512:D9F0856A2F0EE39B8001EDC2AB478718A48C974571FCAA38D6021EE72D5820239D703E37C293CAE508284BD209AC35DCE58EAC9A141C9B4FB023A70EEE95B160
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................3.....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.878256468311067
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EJGWe4WENyb8E9VF6IYinAM+oC5OXOvIJ:cm6EpYinAMxC/vIJ
                                                                                                  MD5:B13D87B4279183343430165A63DF5D61
                                                                                                  SHA1:A8425A12B934F581E4B2590F8726A00FA59CFC9F
                                                                                                  SHA-256:9783A508C583ABB0F379ED9EA780E83AB2E506FBF8C2F74341DB5D61E40A2CB9
                                                                                                  SHA-512:112CA58BA27B7530A6BFD95C722A966F597F67988157E337E6AB365832EA1206C15150CC572AFB3FE70ECBD42CC2186BEB2B6291ACDD1411B5B60522DB134AED
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.784153781952316
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FdW1w3WesWvNyb8E9VF6IYinAM+oCV4Ram0p:S1wx1EpYinAMxC+Um0p
                                                                                                  MD5:A647351FCDFDA523270411A05330F65F
                                                                                                  SHA1:31AEA0A4BD322D38BBCED174377C69C26E1C1420
                                                                                                  SHA-256:C828BC2A65A5DEE3CE49F2FC01EEAED02011CE4C4BABDDB2E187AA2C1793193D
                                                                                                  SHA-512:097C3627DA0FB41FA3129250B7EEAB35053F0C26B222903194F4BFBCE36D8BF7A32AC0338E72234010538D07512D93C557E98A6F00A76F5F3126B6BC4C31C94D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ..............................,.....@.................................,*..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24624
                                                                                                  Entropy (8bit):6.594209857362746
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:fylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsWmNyb8E9VF62:fyp12Bhkg3qnV/sEEpYinAMxCRvA5
                                                                                                  MD5:B801570396E51A09A5A839F68470EBF3
                                                                                                  SHA1:3AA0C793291D8C6CEE4F558474FBA64180D2A635
                                                                                                  SHA-256:550DA51098EF5C3AD5F6827FB682C098D2A55B513F39FA89F23546F7BBCA0CCA
                                                                                                  SHA-512:C168A6538763A574349FE5D4BF8B6BE42CA4B353C11401D16AA5BC50B718F3C414D7214F3115B2767FB175BEB2C187491D0C0358414C2D5C3802FC0821F2AD15
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ...............................s....@.................................gI..O....`...............8..0(...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.857045567772236
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:hSHlx2PW1bW5akNyby2sE9jBF6IYiYF8pA5K+oCGUHFl5tvFj:kHPAW1bWPNyb8E9VF6IYinAM+oCJ5jj
                                                                                                  MD5:755763AC761829B708C4F6AC1E4DD56D
                                                                                                  SHA1:95891B7A944C0CEE2BAA670108A9338A8D7BBE0D
                                                                                                  SHA-256:9F2D4608E3FA4AE04E6EDA3B06C4176AA30B9A12E9978528095BE4A3C8215E4D
                                                                                                  SHA-512:04BC832878274BCC98CCB18F269EEA96105C3B243EBB882B62A0DEA079F0D073CE83335E517DA35B7E6F6A4CDEA13DBB459E6F942B33821A686D5D79E619364C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................4....@..................................(..O....@..P...............0(...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.855690111371631
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:o+TxwFqWD7W5d/Nyby2sE9jBF6IYiYF8pA5K+oCGUHFCet6Kg:jNoqWD7WXNyb8E9VF6IYinAM+oCegg
                                                                                                  MD5:FBCBC20D98A796E892CE421A726CEA4A
                                                                                                  SHA1:C9D25AA5AF24F4983DBC027FAD7B89573C0158DD
                                                                                                  SHA-256:5370C7DB181CD65698E34893D3C234738CD4FE6A844D153311A6A2AE26532A48
                                                                                                  SHA-512:9C76F247A66693E846D0F83CD32F0952083AA8144AC904162756073F9AF103A87DBC4A0F1E0A3EF328A8237D307C1A6B41B05BB7A29D3014F9936C51F3057C5D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................(....@.................................|(..O....@..@...............0(...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.863088883661345
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:dGETSAWUEWvNyb8E9VF6IYinAM+oC6t0Jx:hT1tEpYinAMxCv
                                                                                                  MD5:C9029E037F4B3871CC6A91E1B6C1EC26
                                                                                                  SHA1:0141BFA8130F9E66BD96134E3481DBA578607581
                                                                                                  SHA-256:8AEEF456BC4D080E528422A7C84999E2A37B55C7FC1D54946BFCF66A5A563602
                                                                                                  SHA-512:09CE23955A754BAC1C8BC00B293A3FBC6A18882213F2B2C60DCFB6BC20AAB29F66DDA39CDA86076EF9823B01995F672E95D97CDF19D2B43E8E625169E83935E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................U.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):110128
                                                                                                  Entropy (8bit):5.512428319727748
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:VPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7Hxd:VWw0SUUKBM8aOUiiGw7qa9tK/ir
                                                                                                  MD5:EE7E03D81617BEEAC4146802F335ACE0
                                                                                                  SHA1:5FE83B56166303C06BD972AAC90568E35A54DCE6
                                                                                                  SHA-256:E873AD02839D122803CD13560BF9800D284075062E6B672209095823CD9F101F
                                                                                                  SHA-512:37748D3FB882AEA2CEA60F92D12DC4E85C9929E18DE677CC6389FCAC05BF337051CDAA7C770DD6573273329C1F9DE6BF523967A7E851C5C1BFBE38584F794B0E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................G.....@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.8513999869142745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:BcDagtDApWSKJWVNyb8E9VF6IYinAM+oC4Ls1hK:BPKBCEpYinAMxCNzK
                                                                                                  MD5:82FF772662364A0C496745BC1B4C1F26
                                                                                                  SHA1:D6C63BE1D816520E1276AD3A058D17BC67E5AEC6
                                                                                                  SHA-256:FE0A154AFBED15F964515DD613BDFF6927AAD440A5F5CD698580E8EA548875E9
                                                                                                  SHA-512:62DF45A06C008E0FEE7D5C40130C04548A69EFC501A1EBF6E06C040967DC5A75BBFCB11F2A5F417740ECCC5AE9BE84560C263D080D7BBC5881967FCD8DDBB80E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ...............................c....@.................................0+..O....@..................0(...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.859839841612763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:b6NxhqWD4W52ANyby2sE9jBF6IYiYF8pA5K+oCGUHFAybofaz8MC:6IWD4W3Nyb8E9VF6IYinAM+oCM0Tz8MC
                                                                                                  MD5:F3AFFB9C15521C0072C36F033650A77F
                                                                                                  SHA1:CD6167209EE2BE9DB10BBAB5B6FDEE5DEC9ED8AC
                                                                                                  SHA-256:21D64B5811FAAF215AD863A9F1B164240F235806D51751A6CC0684FEC1AF54C5
                                                                                                  SHA-512:656899E1F92DE6B3141B7FF59B695AE3EC047B7EAA0549F79AC9FE6C0E70C8F8CD4A52E2FBC0DEC85B61598A9241FB6DA32F17A08064C21FCDF1E3747CB24D7E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..@...............0(...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.787615206970784
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:oW2KxVSWzQW5g3Nyby2sE9jBF6IYiYF8pA5K+oCGUHFh/JZlpi2Tr:HMWzQWONyb8E9VF6IYinAM+oCN/Jc23
                                                                                                  MD5:74CD47CCF9A23509EB1925949117C7D0
                                                                                                  SHA1:BB4CB6FDAA42DA65C8BD6CA583F981F5B1A30EC2
                                                                                                  SHA-256:565175621EC7C5E2DC1E4FC10EA7A191D4AEE273AAD9488D27155BCA8D9326B4
                                                                                                  SHA-512:E53CE1150EF7E0DE8514CAAC5745D8A9A7F529D2E3A5DF770F6A52D6A8FB1782A88A400A15A48AAEE2197AE7CB9E57A4C59CECE7FBB1A1D684F2809A1FE81CB4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ....................................@..................................)..O....@..@...............0(...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.724837659990903
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:pxDHKWAMWeNyb8E9VF6IYinAM+oClPK4N:/D8wEpYinAMxCVB
                                                                                                  MD5:2A13C29EFFE6FFF14E834DCCCE11363F
                                                                                                  SHA1:CEE6B6D5A120B3D9F8B3AD23631D030589297A2E
                                                                                                  SHA-256:263E679510015DC47E8144298801B83A2EB2B54683E8CB77945F7CE7CFB8AF6F
                                                                                                  SHA-512:757FF7D240E3E2A056F55BA9FC0CB75C6592796F5375C90BA000DD929347AAD5A9817C1F4048C2E716E3171118F2117134245A6ECF2727DA5544580237AF57A1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................D....@................................. ,..O....@..................0(...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.832344368002849
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:hLNBEW6pWpNyb8E9VF6IYinAM+oCdT1qehj:hbMmEpYinAMxCpl
                                                                                                  MD5:00DFB3D21000CE6AB0F0943E4A899A1B
                                                                                                  SHA1:ECF0E793679AE3C510F9DBCCC10F8837A084072E
                                                                                                  SHA-256:AC56ABBA06CC073A1C99DCFDC7511CEE96C69C5E2074DC40832A3B728DBA35C6
                                                                                                  SHA-512:92240772F48D6B823920EEB4979746D44C8C8F443D979C1154F68BF4E6E107C97145BFC872B6B2863581E34BFBD9FBE1B30251471ADBA08CF8C2C7C12E4F12C9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................[.....@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.886146240522453
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:+KkHKW/tW7Nyb8E9VF6IYinAM+oCkNKuT/Oeuy:DuMEpYinAMxCWlbN
                                                                                                  MD5:D8069A40382EEBF69DC58E4C4C4C9C55
                                                                                                  SHA1:B61573C5F26F0E8B1CDF4ED2BF8914664A0CBD34
                                                                                                  SHA-256:F9A492EA7AF7A8A965F64BF08113412EFF8B063569D60078ADD7D786B266149F
                                                                                                  SHA-512:AAD64D250A97FCB30D79E7A9D700D716D73386F0E976A19530CB896E662C2F0492737EF96C7B878E3A27F6F195DE109805DA4A4063DA52C4ADAF5B1030837EF7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................5.....@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.834800241318689
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:YLnfIWqrW2Nyb8E9VF6IYinAM+oC7Dq1bDlh:YDf47EpYinAMxCgbhh
                                                                                                  MD5:D5A14374A84846521F535F655B08E291
                                                                                                  SHA1:B6ED9DB545D383FFC649B129CC976D8C3ED3D62C
                                                                                                  SHA-256:EE04FBA35F24880E5611FE71954EC563423CB7661DBE85332B39B708227845E1
                                                                                                  SHA-512:C555680A58BC989285ECCFB8E60F3FC414FE9FE343A4D0390C7FFECF1D5211AEB262D76BA711BF7A2981E457B2F6929281E543FC5EA569BD76672673D1DFD0AB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................Q.....@.................................D(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.674121027050591
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBAv:gy9eEpYinAMxCAq
                                                                                                  MD5:CD0597748B58BAA0987F04AAC12C49E6
                                                                                                  SHA1:C22646FBAA464576A9308490E9A485128DA6E233
                                                                                                  SHA-256:8461BE14B848A3ED24377316ECF0BC8F3D94589D26480D9E32B6E3722732CD6E
                                                                                                  SHA-512:A93DE89A5790D8F0ECCF3C260F23C3B5E1022244A88EC59DB9D847CE307AE5AEAFE15FE0A287E590CC9E8175042B224B4FD78A79568489E6F7FF70209976DFE8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................V....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.813554018350934
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Ena8WK1WTNyb8E9VF6IYinAM+oCY4YN50:Ena0oEpYinAMxCy0
                                                                                                  MD5:AE46262D6F3C39E7567471D863ABB7E1
                                                                                                  SHA1:1DF6ABB19DCE6E55138BB1E435BC64B20F106339
                                                                                                  SHA-256:0407F8AE6999185D868F49FDECF2131D217481B28A98F8E21B7877B2608C1000
                                                                                                  SHA-512:ADA27E97F729E084AFC1A3881A298671F003A2EB33EC73A6EF02BBDA95524C487088E4E87256AB2A1AFBC879D1B3CA478EB07495E160F0123D2DFFA9EB0A3FFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ....................................@..................................*..O....@..................0(...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.765789192823512
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:RBSWITWjNyb8E9VF6IYinAM+oC3mR6WAAW3a:R6eEpYinAMxCWRgta
                                                                                                  MD5:D8684391AF95221BBDEDF477167ED935
                                                                                                  SHA1:FEE1AD3F56D32E015B7CAECF62EC28BBD0333669
                                                                                                  SHA-256:9033BEE210A22A36E3F9E4B47609CEB9EE5E483DC3DD0AF3530CC08E6E5F5D5C
                                                                                                  SHA-512:068656DEBD78517E611CF8A7C8A95675BB173AD4AD826C5EFE84374DAC76220FB53317910772D44901C59B75C932CCBCEC4862917422C6CF9CC973A7BEA87C99
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ...............................Z....@..................................)..O....@.. ...............0(...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.875547004279443
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:X88cIIWNoWINyb8E9VF6IYinAM+oCJ4e2:X9cUeEpYinAMxCx2
                                                                                                  MD5:89494EBDBC4C195C6A95C124511F0E09
                                                                                                  SHA1:49B916DDBC7D7C0C56AD7AC08140B843A7D62B02
                                                                                                  SHA-256:34AFAA99089102614DECA07742DF61F913CEEF3FB71D85214D52D299064BF9D5
                                                                                                  SHA-512:7139BB20ED7836486C70D63C0C451F26BEBC12105132CF0D1AE1F7BD5F348D91A70A500A926A376F185AFFC1DE9215CBFA564B4584528A08F20950C0A149AFEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ....................................@..................................)..O....@..................0(...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22576
                                                                                                  Entropy (8bit):6.62055244452865
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1kUwx9rm5go1fWKmmW4oqN5dWjaWxNyb8E9VF6IYinAM+oCowX/USZ:0rmoFmWXX5EpYinAMxCbXZ
                                                                                                  MD5:48AC77B707465BC012574E05547547F7
                                                                                                  SHA1:354F6C91655574659EED716E14604435C9394D51
                                                                                                  SHA-256:EAA69830D08C05D58B7EE216D1C5D1C19F69597A59D897252F3455081FAD5578
                                                                                                  SHA-512:00030A58AB3837169DB67BE53999D7C2F6A6FA64A334A51A01F526D4D873E2B0F5A60C4C47712FB266C6752E1212EAE35E56A80104944262882E041198C21864
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ....................................@.................................PE..O....`..x............0..0(...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18480
                                                                                                  Entropy (8bit):6.673862225741473
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:B09bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVsz:YOAghbsDCyVnVc3p/i2fBVlAO/BRU+pB
                                                                                                  MD5:0E6D75B6158418F0A95E6CB412CC0353
                                                                                                  SHA1:EA67A1CA24B6824F3198CE1BC5AA58A00B12E11B
                                                                                                  SHA-256:DE6EE529839FAD27C8024EC8B895266165430776548B78D6EFF578CE7789EE89
                                                                                                  SHA-512:93FD7D4485009ABD8245FF347DC2FD8739488B66E54769DF5875EF3B37B5A6B1AB99ABBED462F2D0A826F4B2D3D8D16D382991488FA6B91A5CE2EDB21021CB32
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ....................................@................................. 5..O....@..P............ ..0(...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.831572533599495
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:cHYx4AW6RW524Nyby2sE9jBF6IYiYF8pA5K+oCGUHFt7kRCdU:l7W6RWLNyb8E9VF6IYinAM+oCZ7TU
                                                                                                  MD5:FB71DB3448ADA905D419397DD27B42B3
                                                                                                  SHA1:CD9D9F8B34AEBC429AD85E960259E61FE6EC9B55
                                                                                                  SHA-256:263EBC2FF99DC60B5CD58B450B1A517BF24BC3A064E9396ADE4D1181A0B000BA
                                                                                                  SHA-512:FC39FC219EA027E358F16C6903E0C4886D939F9F3D3C540AF2781AE72F3AC7056F5DA9F0C399AE312C40D822932A27109605EB8EDAB64851CF8045AC83FA188D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ...................................@.................................T(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.924286323235784
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jI5HeWFwTBsW9Nyb8E9VF6IYinAM+oCuK9C:jI5HFwTB3EpYinAMxCl4
                                                                                                  MD5:100170C1B006D4151D70BFAB2F606618
                                                                                                  SHA1:C8B5516053BB65659F1DFA873A2221ACA360E565
                                                                                                  SHA-256:B238E2ED9BE9B87579163A466CAC425DF02BA853E321E05FF9E3DE3AF6FB6933
                                                                                                  SHA-512:33B105273E35BF8E9AA542C62AF930B3BD907F964D54C24143D872C51FFD2DCCCECF3D3053B85F775E50147BA9B554220C1F764A6B1A85DB1069447BBF5B0630
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................P....@.................................|)..O....@..................0(...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.894774524663774
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gAJpVWbfkBnWdNyb8E9VF6IYinAM+oCnZMt:gAJpWfkBEEpYinAMxCQ
                                                                                                  MD5:2C16F35F49CA130BE20A66BE212A533E
                                                                                                  SHA1:91974A82002EB4D573CC2464AEF22CD0E90A4254
                                                                                                  SHA-256:B7447B113A9EFD9D0347C3F758E3B07865C703B00218283D1A3DC77D0A270D3C
                                                                                                  SHA-512:D410689278E308D73ADD384F50E9DD0BE10268EC9C09D73268467649BE48BF4E51B8FD00A288A3729D34D6817B10A18012889855B8BCFED6FCF232EBF02A49DB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ..............................N.....@..................................(..O....@..`...............0(...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21040
                                                                                                  Entropy (8bit):6.5401063533970465
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:H8R71h7yzt94dHWFgQBVWeHWFyTBVWMNyb8E9VF6IYinAM+oCRNkQ:y1dyAqgQBfqyTBjEpYinAMxCd
                                                                                                  MD5:86C2CF8250170A56EA417E1BF13672F2
                                                                                                  SHA1:DA672A37C886FEC030EF542AB9132C2ADBDDC224
                                                                                                  SHA-256:033A22044A5922C19DC170DD18F9271BDDDC0C767ECD4184C8CBCA252B82BC33
                                                                                                  SHA-512:AFB4AAAC45C6126948FB28084610C26DD08DEA153EC15A5A1F5A52F2A68F44AA579ABDAB8E935D6E5B27E58685FED2A58BB439C30AE2EF78CE2CD2D8670BBDA8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ...............................q....@..................................8..O....@..8............*..0(...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18992
                                                                                                  Entropy (8bit):6.680985479092326
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:IpsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWUNyb8E9VF6IYinAM+oCZ8od3Q:qsPMQMI8COYyi4oBNw4tBEEpYinAMxCe
                                                                                                  MD5:89EACA9913DE5A262131748A8FBA413E
                                                                                                  SHA1:711C34F847E09B820D857ABD3D1A3FF054B10978
                                                                                                  SHA-256:7C35E1A3F017DA51957052CC39E02C28CBA1F36F6E46B35529FE8CDDABE1C9CB
                                                                                                  SHA-512:CF337FC86DFAE20266B47F276E38BB2434C1C8A674C4F37D29BE5473A341F97C86C01368161318DEF155CE46DE5C4C5750F90B228D62866FAA61F4A413FC3FB8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ...................................@..................................3..O....@..............."..0(...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23600
                                                                                                  Entropy (8bit):6.319697338021789
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:xbhigwLAuZtM66g/Id7WVXWwNyb8E9VF6IYinAM+oCdTuuO0:xbhzkKs1EpYinAMxC9O0
                                                                                                  MD5:6E381132DE152A3475E305709D23D4AA
                                                                                                  SHA1:A44AE3A6050A6771B6A6A7EEE0CC03B033B2758A
                                                                                                  SHA-256:A4AE7B340B49695889BA3893D49F26B645E3B198B21DAAC7BADDC22C9CDE4D6A
                                                                                                  SHA-512:62804A7FE51D980D9D4329CBC620B52CA247254C63D280E58D891AF62C74B2C4527A8C01F12DEE0C0D7BB92B44F23CF2F2BF0EEAB19A79A307DD36EA2049E31B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ..............................q.....@..................................G..O....`...............4..0(...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.86777742071565
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:QUcX6W9aWmNyb8E9VF6IYinAM+oC7y5BZ:QUchSEpYinAMxCY
                                                                                                  MD5:B6F47697E2167ECA90DCC729460FAD0D
                                                                                                  SHA1:0B093E1D3F362686E7670F5D5E97AE39D1A688C2
                                                                                                  SHA-256:EE59B35346BB964F045938C42F36B31152FFE0448FB7C0F47A8D4B8F3F00223E
                                                                                                  SHA-512:CC251146A799A924FACD7763AEC15422518A1B311F1151A8388D45AC88B20916B2AF476E1B56E7563A0CDD6AB0D32FAF980A56A64988C0AA79F87A6B33FB6F02
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ..............................W.....@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41008
                                                                                                  Entropy (8bit):5.952082983895029
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:eoBj7kS+8mjvHTeaWKs0Sd4eerEpYinAMxC6:lPmb9WKs0PeeE7Hxp
                                                                                                  MD5:C918A56C8019B355893017E80AA011B4
                                                                                                  SHA1:6FB6750CC0B061EBD8FE514761C9435A640EB3BF
                                                                                                  SHA-256:084EED4F8A3DB18429152AC69707170EE9699473197B268FD50286A62F11AC41
                                                                                                  SHA-512:0211A760A2A37A6925C46D243653C0229C9F30C7AD0CE25B2D8ACFCB6254409E7A883DE37AB3BAD78B188BBD4A4B03724834ED8FD3F230C730D86DA5044A832B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................o/....@.................................u...O.......8............x..0(........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.893731616710799
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vTI2pWPzWKNyb8E9VF6IYinAM+oCWxypjhJ:vE3bEpYinAMxCppP
                                                                                                  MD5:F65144928C3B53C7947BB102E1288E6D
                                                                                                  SHA1:E7EAC99B2314CCA19696CA438E44CCDAF9013737
                                                                                                  SHA-256:BA06A4E711707C8644BABAB2D36414EBF44BE0ED43E2C0EBA6970AB8B42FCF86
                                                                                                  SHA-512:CA41E3E9AA31A45995A9E4C315ED6FC6D4195242C5476407224894FAD4BEC056116D5FEC1BC1492B4E0096A7B6969CE02D711192A46518AB0AAEC12F46623F38
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`...............0(...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.912028776126427
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ucezoy4W04WFNyb8E9VF6IYinAM+oCm/N9fw:uBzoy+DEpYinAMxCm9fw
                                                                                                  MD5:2A34E7463FF6CBFEEDE44DA8F342B92E
                                                                                                  SHA1:26F6D4E4D597F8861A706F4C7EE8D140A46C7BD1
                                                                                                  SHA-256:3F8E7F6F16EE6782CA2F7E95BDEA4948748A7C1C6D97DD8879543AD775247533
                                                                                                  SHA-512:D39E991937ED94F77FEAF88667374FEE4E0CB9FA7223D0ABF55898B451E343E8AF28175BCFD70C93E52C501E61918915E1D583C7E565A3ADA955E6EB7917AA34
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ....................................@.................................,)..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.795128333926592
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:c/gHWexY+WKpW5ryNyby2sE9jBF6IYiYF8pA5K+oCGUHFjekeXY67Z:lH/JWKpWwNyb8E9VF6IYinAM+oCXI7
                                                                                                  MD5:507447719CCA867D2537FE48B9EABCBD
                                                                                                  SHA1:6F819B9EEE30EFF3229C22D1FD2D8E05217F678F
                                                                                                  SHA-256:E17A634ED5046725D17C458C88AE68E182AD084376AE0A513B2EC435DB22E0D9
                                                                                                  SHA-512:BB6177865C0FC675CD1DDA9BC4CA2C426DDD4BCA987D36A1EB98E063DF6D6DE334723063FAA2AF77A5022D55719C74F5A7264F100B11B2482E75E78400A2FD9D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................D....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):16944
                                                                                                  Entropy (8bit):6.743765550669376
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:rTjbocNsWMhWbNyb8E9VF6IYinAM+oCtLwE:DboYy8EpYinAMxCtR
                                                                                                  MD5:46646113A8671C616E570AE130191375
                                                                                                  SHA1:34EB3F3285121040C65F124828FB22C57FD45F4F
                                                                                                  SHA-256:F42B0174884859EEC6DA1E8B30141E19F600AE4553D039924AC0DAD4E1841CA8
                                                                                                  SHA-512:855CE45C8115555D0BE7F945CCB77D7D8CE05DE1472F4B0D4CAD8535B92550E4D00901F10078DE81E10FDC0FDAF1D7E10B14F4489E671BA271F1C72D507C76A5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ...............................&....@..................................-..O....@..................0(...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.843952558952105
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:xSKiWIhWCNyb8E9VF6IYinAM+oCLp8t2l:xSK8FEpYinAMxC9f
                                                                                                  MD5:81DFF20248F2B19ED960B2E53C49691A
                                                                                                  SHA1:6117702986558F2352E9068417EC6D5085835EBD
                                                                                                  SHA-256:10EBD20E59BE4977CA2E8E92FA14A2D115D73371B4612C09E2679B1EC026C9F1
                                                                                                  SHA-512:F9BCA3BF3560AC6EBD3E7A53AF29ED0389E71780D68DBC19503418A0C5E524C592FDFF95E7B8714DFC0C438CA5264BB31F66A57722EBD80D9C08AA0E1864A415
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................R.....@.................................t(..O....@.. ...............0(...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.791455106805695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:i0KbZWApWmWTpWeNyb8E9VF6IYinAM+oCkp8t8AJ:FKRylEpYinAMxC3j
                                                                                                  MD5:C46F83097836817F35C876B17DAE8730
                                                                                                  SHA1:147BD9C6C2211559084EB1F1B1C9D6A99D6E6C06
                                                                                                  SHA-256:0584979D15B684039D5BA5AD34EFBC674792A213AFD2645DEAF5F23D02679E22
                                                                                                  SHA-512:BDF759C71B8154BA7370381DC4910352F76903E063BD6E112EF4454E2E5382AAC6818643928106600AF771CBB60ED6B919DA5C1341C0074A5D2063E119F823FA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ...............................`....@.................................>)..O....@..................0(...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.874748396830931
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:+b1nWCXWzNyb8E9VF6IYinAM+oCnY3lWx:A7SEpYinAMxC1
                                                                                                  MD5:7D700D3B38D8DAFD0810CD4876F9FD83
                                                                                                  SHA1:B4F61E58BFB4F3749DECC8B346B07177C9627CF1
                                                                                                  SHA-256:D2CC735515202BBA87EF740A93276C74E0FE2BD88BAC18EFC7D8DD74D76D381E
                                                                                                  SHA-512:594A2A91060036416ECCA8FA7C3F70AA46B2996A99836A36B84BABC7C8B4D99B5D844EE588A97A60EA1CD2AB96AC8A0B8F5D918917F09B5F2FEEE80B1A1C7570
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................O@....@..................................(..O....@..T...............0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.779188885791948
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:cNc6cYxmPlW7TW5KhNyby2sE9jBF6IYiYF8pA5K+oCGUHFFr9I+Rtg:uTyW7TWWNyb8E9VF6IYinAM+oCRr9vg
                                                                                                  MD5:0A454F3BEDC63C21C6ABA90E35E80C06
                                                                                                  SHA1:A31F2F6C213CC5381576F4324FEF98CCBFCA4016
                                                                                                  SHA-256:8586A1D14998B33519E683C58EC2D2CD68B94DB7BC6D4D6EC290A36AC248E50F
                                                                                                  SHA-512:BBDD88FA84D631B88DF7F11AF7EE0BC08F3A0E2B2A850ACFBC0336A394354697A7AB54002839D29D1DF4BBC388C16F3031ECB165FD147346BA18634CC301E9E3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ..............................=s....@..................................)..O....@..................0(...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.909257187752604
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:f6Rb32WVzW+Nyb8E9VF6IYinAM+oC0Bz9:iRb3dfEpYinAMxCy
                                                                                                  MD5:DC8AF98B3AA43EC27CFBA21DC2292837
                                                                                                  SHA1:69CE0B481F2B49643CB946AD02A90812B0A7EA19
                                                                                                  SHA-256:EFA42933DF41DEA9FDBE6BE37912770D3E8C3869961460E9534D645A7677C40E
                                                                                                  SHA-512:9FC0DD720AC089202D638743A0F5A50388DE3162177320B56508BE69078073625CE626BF853FA0D87EAF76A4BEC4167235EBF9886FE5E3041643831D5E233613
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................g.....@.................................t)..O....@..P...............0(...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):31792
                                                                                                  Entropy (8bit):6.537621622428481
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:mu5I+sqOylryry8qqIfUc7a5FEpYinAMxC1xHR:mYIVBpry8qqIfUcm5e7Hxof
                                                                                                  MD5:F52348F4F20D6E7D869376E16E61F4B4
                                                                                                  SHA1:DC6D2D361FEC63C60D3B1FC94F1202407DB5BE90
                                                                                                  SHA-256:A3DF93074CED87596A7A0006347854135A1D223CC495D31B33554B013F5C58A5
                                                                                                  SHA-512:34A1AA5AE037924DBA14A4F885F6A440B7B7027C94ED63674B74199D012C65B9C9419598B696364254F7635B2411E29C1B7AFFA423D91CB0414E1BB5DE6D6CEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T..0(...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.875852056465243
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Kvn4HREpWiQWRNyb8E9VF6IYinAM+oCeWDgL8m:FSLEpYinAMxCZm
                                                                                                  MD5:F267535EE36B8534C17EC699A4794D23
                                                                                                  SHA1:9F1636C48D07EC6F6D41F502EC6C34D1CB366A73
                                                                                                  SHA-256:8F8FF68F8F9D9B0B5535F299ACD91760B12B04DD0F002A625CA37BC1CAF5F30C
                                                                                                  SHA-512:706281AB412C1683064C19CD710D38168090F3B203A361F5F7765DD7E4D6A7830E785506D852A1CE12CD28C195BBCF09075A9611F41F38170E31D34ADD029DF5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..P...............0(...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.77448448889411
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Y8MjKb47T3UCcqFMkJ59WdtW0Nyb8E9VF6IYinAM+oCov66o:pMjKb4vcGdOfEpYinAMxC+o
                                                                                                  MD5:C2F1630FC88F44DF3AE9B49BC5B7749C
                                                                                                  SHA1:3325347B005570126D474FC6C87D670E82C14BC5
                                                                                                  SHA-256:7A3853809A234072CDABB87AD1DBFB8C6C49BDF55F2E29883F1A7860AD2B302E
                                                                                                  SHA-512:6A56651089A71E995BE977B734B970BA1BB3FCCB9E6D2646D6E7F05BDBF00C7EE635A2A9A4480A18A6DCD1669B7C1B58E15BB1E9315CBDFE0EF8C2BE0E73DF63
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ...................................@.................................`,..O....@..................0(...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.856668488122503
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vzyNXd4+BW6FW9Nyb8E9VF6IYinAM+oCDYhbhG:uzKEpYinAMxCc3G
                                                                                                  MD5:B679DCEC9760E87F0008D4F2F2330541
                                                                                                  SHA1:04990E4E550115CEDFCDC3CB6ECFC9C210EA0A65
                                                                                                  SHA-256:612852589918EBDE806FA392DF3C69B401976240BD3C2FD3CE9ECFC32C4CA783
                                                                                                  SHA-512:C5833E1E545D012B43F2C8349DFE70E16DC3E01486F0A11B7FADB93A26984017B704AAADBE743CF916F6FD0368977E98D5E761EF64456DEF51F717BE4270F7DC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................0(...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.8620326999031915
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gvs2Q3HKJNrWWRWS6Nyb8E9VF6IYinAM+oCm8ZrH:guMmEpYinAMxCPpH
                                                                                                  MD5:A2E040D009F3E0B869B6466665F64E4B
                                                                                                  SHA1:CF5F9D94C7E0A604A0ED4221AED05CDF13265E83
                                                                                                  SHA-256:1FC703C161A30E623DD7AD1C9E6D5CE2DCB57B3A64ED258D3E100A718FCE9885
                                                                                                  SHA-512:7116E91C9605669F5746D34E38B637C621EE5B0F93528B5F1B14004416E3ABCC00B5E9B9C937970104D9AA4B3D043C37811ABD47C609D29CA30DE9E5689F11DF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............0(...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.829858302949805
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:iFz0Q6gcqRhcsMWdMWtNyb8E9VF6IYinAM+oC9Jtac2Y:iFz1c6jEpYinAMxCLN2Y
                                                                                                  MD5:4D5C5C3571C6FC162E5F2386B4350933
                                                                                                  SHA1:1E8E9426533863991A81C886D294186275D639F8
                                                                                                  SHA-256:C2E38BC6156537A6177B199F99F074D6B1EC46F6DE82004B11CCF3F07F13448E
                                                                                                  SHA-512:F5433FF6422E8CFAE794D84EA4996AC1A284B3A5B455028BC296CFA14EEC1D7E66FB5D1A741C7EEC32A94C0D6F30CA1A746BF13A1AD5180428AEC7E93FE29EB1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................8.....@.................................L(..O....@..................0(...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.7233141405495465
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:y6xWA3W4aW/NWgNyb8E9VF6IYinAM+oCIJ8+:yaBbEpYinAMxCs
                                                                                                  MD5:17A8D0B92AFE0AC51D0FC1B099A10E79
                                                                                                  SHA1:E4FCA15B61A4F453C6C04214B9392CA1952811C5
                                                                                                  SHA-256:64F8EAB6554162F3BDA95CA44402C1CD470E74E236E6C7C9A2B594DE0613CD15
                                                                                                  SHA-512:7E53167BEC0B758C74F6E1DB22A495843C921320BB5395B505847F81EBF17D541D06429DD3FAA066E39438EFC9CA1A0BFBA0FF11CACB1DFC978AC4C40A13F24C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................9I....@..................................+..O....@..................0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.954765148782394
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:7784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRvc:77N1r9KGI04CCARLvc
                                                                                                  MD5:B0198470EB44D27E51D9F5818F4B26D2
                                                                                                  SHA1:828733ACEC782256A947FBFC0C039C1AE9F075AA
                                                                                                  SHA-256:C9AF9310D3F5DCF8B999AFCBF78B864ACC8B974F4F5B12ED3945CADBE7785082
                                                                                                  SHA-512:7D0337696D05516DA8203205515A3E6CB081C3EB8BAC1606903F2DF239D3A44771E1FF031B7FC9E67B85AF23D8DD04B3AF7670BE8D8393CD5EB0A8A4F8E3B922
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`...... !....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.854248517746036
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:mr97WquWeNyb8E9VF6IYinAM+oCkp9R3Wbe5:mRJWEpYinAMxCedKA
                                                                                                  MD5:341CD9B332F24C4C7E53531164666F9E
                                                                                                  SHA1:A07A58F26C5FBF41DA3456CBDC796ACDA69B2EB7
                                                                                                  SHA-256:D14874711A9DB1FE279F759780AF2D75CFB24AEF27CD2BD7C7EA984B13B41807
                                                                                                  SHA-512:CA4A830F7733BFA4F734C406136B60539D7C7C842E4606FDE04594792EDFDC70A55EE23A182EF38CEF473D5003F6FB5846DC7AE26A85F98CCF013FF4E6783975
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ..............................9.....@.................................\+..O....@..................0(...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.794085088631407
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:R16eWLDW1Nyb8E9VF6IYinAM+oC44iq5k:z6LIEpYinAMxCqq5k
                                                                                                  MD5:6F9FBDB014EFE1DB688C627EBAC7D417
                                                                                                  SHA1:3C574F015D8D8D4B518A3046ABC740868A067CEB
                                                                                                  SHA-256:C2742EA58FE3BDBE6FDC70EE7902E4D17FE701EDB8C4F2B5320C2D68C84C0C5E
                                                                                                  SHA-512:AB35E8F5EAF790E4D3376F3CC48CE110061042C9860A0EE7713070A4B8F81E0311BA1448257D69712C8858F367270FA2B3E64CF2BD62CAC645B35AA425CACCB5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ..............................."....@.................................|*..O....@..................0(...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16944
                                                                                                  Entropy (8bit):6.786517559975683
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:l8G4YC2W+wW8WpwW3Nyb8E9VF6IYinAM+oCPVmR:qGZ5ZEpYinAMxCQR
                                                                                                  MD5:684BFCEDF10E7B1C8DADA304444168BA
                                                                                                  SHA1:A8F418C33C7A1F874546B66CCB565F0FD44FD7BD
                                                                                                  SHA-256:D566DD2D463213EC388502E81F4918630642C1C55EFEBF4E049E528757CC7C3D
                                                                                                  SHA-512:95EA23DB7A555B9B2178BBE52FD79C16E4DAA6874F4672A9D855CE8D41B4EEA5AEF7DBA5298C2447B916FEE99414F5CA896E3E1FE53DDF42C74A95DC898D7516
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ....................................@.................................z+..O....@..x...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15408
                                                                                                  Entropy (8bit):6.898142113844479
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:96ziqTEkGWvRWpNyb8E9VF6IYinAM+oCKPITS:9YT1yEpYinAMxC0cS
                                                                                                  MD5:73F2E9747A6A2B63D1113DF842EF2255
                                                                                                  SHA1:727586913C26BBC7B234A157A7C1B9515D14BF7B
                                                                                                  SHA-256:DAB74A74DD09058C4CE7BD87317660753E89F651E95B780C867AD210B455CD29
                                                                                                  SHA-512:048F3C1AFCF5AE4CAD212A4749A7BAE5500DC859FF1A9599CFCF9632CD7581782EC517992D4F00D540AF510AA2D5595634691355EC300873ED79901B229EA484
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................0.....@..................................)..O....@..................0(...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.809623495878564
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:VUv7c7iWNCW9Nyb8E9VF6IYinAM+oCILeq7/:VM7c1VEpYinAMxC0R7/
                                                                                                  MD5:E2229C7506DF972C642D65097EB7E8CE
                                                                                                  SHA1:1063EE34789DAC1D81239B4F1E50BD037E017F9B
                                                                                                  SHA-256:7E57A50DCD9DE1E3312EE74E967A9993EC61E4234A2CB8503B4BED9E817093D6
                                                                                                  SHA-512:C9EA65CB82E766439266D11DC9B2D6C055C56BE4C35EBBB7960F15BE766D835C75F38E1437F3B1103E16CACABCE4BC5CCE9A13A5641F3335B4A2096CA01117F7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ....................................@..................................*..O....@..................0(...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15920
                                                                                                  Entropy (8bit):6.853233808770002
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Th+vxmNWnRW5x+Nyby2sE9jBF6IYiYF8pA5K+oCGUHF8C8cosq:T0SWnRWmNyb8E9VF6IYinAM+oCIvsq
                                                                                                  MD5:D3292C8DCC7F14ACB5D84354BF301DDD
                                                                                                  SHA1:832FABE728E43F6AA4C0C005F52781C1EF6319D2
                                                                                                  SHA-256:527D1729C7BC55FDC88771FB13237CBD9D78DA0023997E854FC723C3C612686E
                                                                                                  SHA-512:ACBDED154B6F3A0EDB74B22EEA44DCD3A4F5610A750FE7291437D8144EA9D75BBFCAA58156CB4328EC16A39D3E141D71B286D4A977092E7E59DF693AFD73DD01
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ....................................@.................................L+..O....@..$...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):92720
                                                                                                  Entropy (8bit):5.483627118870135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:B2Ec05j4eAH64rh5fSt5T9nFcI94WX7Hxcl:QlK4eA7mDmWXKl
                                                                                                  MD5:17B53AFB0FDB248CD2ABE749065B8801
                                                                                                  SHA1:C314274B96EC31B3FB668598F55675B2D8169965
                                                                                                  SHA-256:2B58002EECD2A5B793CC63F363189EE0FB78D654A63955FF09A0D38B5D04CCB6
                                                                                                  SHA-512:FDCF6ABF40F4B6CE679E1F1EE54B1A6553445BB885A97666220461FD3601B949A8A2E98C3075A442D2A7497204CBA55BD5F0F9BC2830CAE0A801E220E28E64C9
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ...............................c....@..................................U..O....`..,............B..0(........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2725964
                                                                                                  Entropy (8bit):7.999917199181124
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:49152:CTP2oXCniIA/ZMtub7ID8jy5MswqKRMgcveOpQfWw840AjROyvihIUsnLY8i8S1X:2BYiZc1z5Ml5dcpvi0ryozazGX
                                                                                                  MD5:87E0691D3B8DCB446AFF3C1A43BF53F1
                                                                                                  SHA1:572385F4DE28C78487811FC20DBB1DDB95DD7D49
                                                                                                  SHA-256:3E9F7558B5671E5125DA7C6C1975E49C907DF16518D899AFA7FB111526B2DA3E
                                                                                                  SHA-512:70D8184657E4172C64D6D876D2C99553A8BFED0BA5F25C3F5AD3A381D509A4C6F75BB95F1973B91D3B2E387D7AF615ACC2930A23842EE90180B5ECCAAF74FDD9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......X.Y..+.........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....0........i........4.M..s...9.CJ.%.cf...&..w....hG..L...|...T...ZI.w.%.hUa.....E^[........mt.~...........,..k...DnN.(..6.K.1..8...!..J.u..............s..b>..z.._..`.Dr.mbW*.f..P...Xw.?.....O".9..l.+.r.0.K....t..g.....V.'..lDL.\.....o........-Ay.Im;D.;.7...H....Qo...a.lg3w..9....i.yI......V!t..V.... .cuB}....C.#.....*........[U....K.t.~F.&Y..+H.p..8Y...a(.{...3Y.....@.E..S....$.s. ...V'.U.....L.......s.r|.-u...7"I3.ZM....Sh.W..-...0....+sY.j.K....z.Sx.%5l`e6.D`...M.;S..T.7....).g....P.).m.&.....y-.....Y#4.V`j...;.........U....u......X.n!.s...x...b..P.\kh.R..t"..h.M.L..,.}b5...^.H.B..:.........._...^..{..!..s."......._...JQ\bkPc...._.E...i..c..x&]r3.".T6....R.....S.]..v..j....RU./..R3P...C._..K6D.d..?....'S.u.Q.Kv..3.+t....#R.. )......<.o...H'.t...,..T.l...q..l*..\..r..w.f..Ue..}A....!....3.3.S>.....p.1.T.yv) T......r......d....;...]..t.#O..5.@......

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53296
                                                                                                  Entropy (8bit):6.250578884773528
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:7AKn1qFDGSB/5mT+iZ7qVl91fXIux6HtaRtYcFm7B6KfEpYinAMxC6NO:MKn1qFDGT2Vl91wk6HsBm7BlY7HxA
                                                                                                  MD5:6E034C46991A649567D61B8124D6E59F
                                                                                                  SHA1:521E87BF75E0E17F6F9AD7805C1BABB0C546B97C
                                                                                                  SHA-256:BE13A7F910F96B492C76A52CCF52E1D800BBDA00236827DCB946759427650254
                                                                                                  SHA-512:C8B5B78674250B1935E8C9BFACFB58318C7541601BDD8DA64A388775C743C107900C8699B21838E87B323ABA5D2451F94255CA11FB26B5D23C74289E89FE7520
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w.f.........."...0.................. ........@.. ...............................2....`.................................d...O.......................0(..........,................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......0N...a...........................................................0..........(.......(....o.....(....r...po....o......o.....o....o......(....s........s......s........o.......*..,...o .....,..o .....,..o .....,..o ......*..4....W..b........O..n........F.2x..........|.........{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(!...*.0..K....... ....(".....i./.*...............&.........K...%.. ..o#......r#..p($...,.*......s%.....s%............r;..p(&...,/

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):776
                                                                                                  Entropy (8bit):5.037356665456624
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGp2VYF9LNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:JdszvPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                  MD5:336CAA70D9EF388EDF8B234E5FC40CEE
                                                                                                  SHA1:864CCB7643FC99313E5ACBEB59D608CD179E01BB
                                                                                                  SHA-256:9BB07566C5CEAF46CFC1164A63553BB3C00AD8A04138211C6EBA81B60F4FE355
                                                                                                  SHA-512:EB037FF55C7D61A4170A9143B7BA40CC43DDBC9E8DF673D7AF03548C27C4410F53A5CDFAFE8942559B9E5061419512F3C8FAA5A6D32ED147DD33F832CF43E637
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXWo:WBd
                                                                                                  MD5:C91AF97F5D31DA1F8587189542A14906
                                                                                                  SHA1:7A552C0BE3A8C7B82F5FA83FF78ED0FB0B9457C2
                                                                                                  SHA-256:A64001C3764D8F56723ACB78FE86FAE386609E98F61B7625A7419C58E2B55316
                                                                                                  SHA-512:CD2AE3F50BC7E33954ACFCB4A3DD97241A820592A90657CE9B2380E869EC192E719CD69475422B2F74156F409D0850C56B21A4C8D1FC643BC7DD8DA16166A5E4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=23.9

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.1809368759805565
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:fJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJd/50vks00UfafgVU7HxLW:fQUm2H5KTfOLgxFJj550vksVUfhVUhW
                                                                                                  MD5:E5A53B1B8DB89B3965134FE3CB8DF7B0
                                                                                                  SHA1:B7661710B26F04A4AF6E530085BD9EFAF507A31B
                                                                                                  SHA-256:4DD785220EB7EB9F8114AA8AC125649EB7AE79685A7A9A6F7819B7C1011BF752
                                                                                                  SHA-512:266281D307ECA1F2107CC2A71E0B4A1A7105219E74F4FAA0CB93C791FC0AEACE28D41A541755078A72F1EFC2A9B6AE50F4C84F334080DAC129D9FC99022456B2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d.........." ..0..H..........zf... ........... ..............................LQ....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960474505704917
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:bBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUg:bBA/ZTvQD0XY0AJBSjRlXP36RMG5
                                                                                                  MD5:4C7831F91F22C4329B35B60687D4FC00
                                                                                                  SHA1:3B867787EF3B6207310250EFFD192D6DFF209C9B
                                                                                                  SHA-256:F9A13F6AD27604B8DF15F9A42203413AD211EA43D0CDB9B19957CCE3C94A3F46
                                                                                                  SHA-512:EB33DC0A1C65934C5A22764A0A951B2309BA5F27F13CECFF91FF91E0B3C8DBC633E37BA11C55F88D24D9A584B8F1F8653AF866053DB6F468AC71C56C249ADC0C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......B`....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):50224
                                                                                                  Entropy (8bit):6.202750116213148
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:0SrEZvG2rO17QaCg2zJMnLVPPKctfhSm6EpDWJkBnCvZuSEpYinAMxCA:JsG2KuD7iBnzz7Hx7
                                                                                                  MD5:5F703134E04CA2F1D499592C3A649FFB
                                                                                                  SHA1:9B365DA17EBD8C341C37DD914B7806C55A073581
                                                                                                  SHA-256:A91E9AED1DCE65F7A6C2D87CBA17087ECC5B6BC2BFB9955B416B81F98F9E01AA
                                                                                                  SHA-512:A356E2A0663001407D01A5DAD533C428E495E55F5C2531AE0915C2F8127528E46D96412EF6CA1E6B1B3679CD7D7F84D2B5C4FA1B9D38306F8818BA01E4942512
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....x............" ..0.................. ........... ....................................`.....................................O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........J..|f............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):662
                                                                                                  Entropy (8bit):4.952846219984862
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:TMHdGzNFF7ap+58hOf/2//3QOFip+5v5OXrRf/2//FicYo4xT:2duPF7N8OH2//3dVhOXrRH2/d9y
                                                                                                  MD5:0F638DECEBA5011AF737C29E90C20F6A
                                                                                                  SHA1:1484B6084C8231231C7C472A57E6835B4A3EA146
                                                                                                  SHA-256:B50494F0DDF2AC7DCFB74BAE526E74F67FF501AD0CD5B712834829DAD9563368
                                                                                                  SHA-512:0E26D3AD25DE0FD761D4F15E714AA136C19427AA02469BE8A1D0CE639FFC398E798BA30F19DBC77C8A231FC1B849D07A88C2BDC797C9D191847663F15ECA2917
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6655024
                                                                                                  Entropy (8bit):6.267134376801171
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:FCMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIw2:9lV1qKpkfqbjeGVr4NHYJ60B2
                                                                                                  MD5:5EF9992E5A127EB43285711E5ACBC07B
                                                                                                  SHA1:2DB7BB0FFF5E516BC5524BB340554DAE5FF44C1F
                                                                                                  SHA-256:4D756FCD37CD44EB88C9E349B783E8314A0460954F0507E60BEB389514E4773D
                                                                                                  SHA-512:41B364356B95A06E7B578C16B4E5B1A4401416A850C564AEF95D050D06603D167030A1645EFD9733D822CA1D8B3DB4C7FC68CD2904D6A6B0DB3D7F72B2E87D63
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e.......e...@...................................c.L.....c..............de.0(....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):280624
                                                                                                  Entropy (8bit):5.69143427619248
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:8G0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhC7:8JrycoB3HVeESME3pnaVTS1nh7hCaO
                                                                                                  MD5:F9450AE9B1DAF75A772A5CC8D359DAF6
                                                                                                  SHA1:C693C23797E103DEFDB6FFCD95BBD35FDEEB50BF
                                                                                                  SHA-256:BED3F5FDA16870BD55C2BF43ED48C8BE610DDB5D1C17E8E501F8273504A2E04C
                                                                                                  SHA-512:05825B0FA8B4E54D8882C084144148F82F125A18C95F14BD6A0F9AEB394B393F6F1DE6B180D8E87E24D7925D89A1C727A3A15EB1C75511E3EB3FE835BC563CA5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`.......Q....`.................................h...O.... ............... ..0(...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1185456
                                                                                                  Entropy (8bit):7.999660178690134
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:24576:Ssoja9MaLduouhVlf0tyv29r1+IdjkaCgs54gvUokF4fEFBb:HoFOJuhV+tyor1+I+aqdM2MFBb
                                                                                                  MD5:6C6F85E896655A6EB726482F04C49086
                                                                                                  SHA1:2E0C55CD4894117428B34D21A1D53738FCE4B02C
                                                                                                  SHA-256:E109400A93FEDE90201BBF37C1868C789888BCE9D03A4AE5B46C48599939C34E
                                                                                                  SHA-512:B58303C149DEFFC9E374D5BA42A8A73B7CE890D35F9589FE0B09ACEC541A21D589D49FA5086B965277FA22DFE308357505124F13A6FF1E0DE415EBC40CE61E15
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....J9rX...........=...AgentPackageRuntimeInstaller/AgentPackageRuntimeInstaller.exe....0........g.........^ ....,/_.U. *t....H......Z.X..x#...?....(/.EH.....r.l#.6.......76.b....u',4%.Y.br....W..VcO..[b/.....(....."I..u..S*....../.x...j.5.<b......n.v0.. z'M.....w.. ..qu.<...w...[...9....F...D..+....o....!..1I...^=H1.{.:=\...#V.]...1..)F.s":$.g.H.p.'^....K.F...3..}.......[J....xD.........._RB...... \=b.<.u 1k.Y....&.X.).`>M9.$H.].>t..^..!....}_.H.....h....uT.q..cJE.M... .QG..+?.gZM...G.9x.T.q..U..... X.s.....{....F.G$..$.A.n..jz]=.qi!U..4.>.e.7"..].O.F..XdciK..d_0..H..7rHd.jj.L.v6.< ........2.8....8.mc_.(!...\u...mY.........tv.e..,'..E......l..s`... s...W.Sx9b..Dnc...!0_..T.y..%r..{..E;....v"ce.K....{...).B....:N.H$..h..F.......Y.8k.....M....~9..X-M....f>~t..*#..R......6M....f....>-b.....W. .S.WO.c".>.....+iR..w~.u...6../..J..^&...K.BcQ.Fy....<.O.......P..y..#5:l.4.......~........g.:W...1.p7...K...n{.9~..c.h......NT.5...w........?_>XJ..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-32.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28281168
                                                                                                  Entropy (8bit):7.9983115885511795
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:393216:UcIh/CM3n8W1YXQKhFPo4ryearUIODSHNBDGy+a5XkLidmzbGuNpRtDsX0O87itv:Ufh/CSLqJQ4raJxFtkLiMTp3DnMtvQA
                                                                                                  MD5:586E5A9D36156CF316806527CE9D2177
                                                                                                  SHA1:AF1021F2D0A4647D181EB3A0FA8F75ABBF5A43DE
                                                                                                  SHA-256:381D234CE8D5692A4DF2783895C2316ED6DC96F4BFC8E62D91A7DFC0E0CC2EB3
                                                                                                  SHA-512:E46FCBF574776ED1859296A18734AF102A921E8AEEC0069EE94BC8F24D4C69AA28B1B15DCBA3754AC1AD3EFE099C82BC4653942931EEEB854B2ED0684D52EA85
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@.....................................@.............................................:...........`..H)...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc....:.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55344
                                                                                                  Entropy (8bit):6.139210251385105
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:N2Xj3YqBmARWhNqjxcVqnOvdBsqW/BCiFl0scb/MV7Hx/:wX5BqSBjb0tb/MVJ
                                                                                                  MD5:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                  SHA1:76A6BFD488E73630632CC7BD0C9F51D5D0B71B4C
                                                                                                  SHA-256:2A0EAD6E9F424CBC26EF8A27C1EED1A3D0E2DF6419E7F5F10AA787377A28D7CF
                                                                                                  SHA-512:29C8AE60D195D525650574933BAD59B98CF8438D47F33EDF80BBDF0C79B32D78F0C0FEBE69C9C98C156F52219ECD58D7E5E669AE39D912ABE53638092ED8B6C3
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. ....................... ......o7....`.................................X...O.......L...............0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...L...........................@..@.reloc..............................@..B........................H........K..|v...........................................................0..........s....(......%.-..( ...+..(!...}\.........s....s......o...+o.....=.r...p(.....(....(.....(....o....r?..p(.....(.......,..o ....*.......4..A.3......4.@t.......0..8.......(!...("...(!...(#...($...(!...o%...($...(!...o&.....&..*........44........('...*..{....*..{....*..{....*..{....*..{....*..('.....}......}.......}.......}......}....*......s....*......s....*......s....*......s....*V.('.....}.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2010
                                                                                                  Entropy (8bit):5.013965898836397
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3rrb7O7Rgdp+1/gYoSagFsg+w3Sg+Cag+XgjdgDt:7rne4wCNj
                                                                                                  MD5:0B17B3BE9B3A6F6879998D280941DE55
                                                                                                  SHA1:EDE825B51EE11AF7C9221DCE596BB969CD068529
                                                                                                  SHA-256:1D69336E421C535CECF2E0326BE39B44EEC8EA39754AC8E855D8E0368E0F4619
                                                                                                  SHA-512:06D9CC03B8F7295A6E02376159EA96A83CAED4B584769370C0BF365B25D29C883BA5C8359CFEB7316D13C93B49FD37CCA267F6E7931220CED71435E1F4B639C8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.14.0.17971" newVersion="2.14.0.17971" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <d

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11
                                                                                                  Entropy (8bit):3.459431618637298
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhUnn:Wu
                                                                                                  MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                  SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                  SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                  SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=1.6

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):93232
                                                                                                  Entropy (8bit):6.195903304850222
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:zSvbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hx9:zS8UMW+BV5M+5Nn0kom/RS3
                                                                                                  MD5:B969BFF44179BF8A3584EEB9E026CAE1
                                                                                                  SHA1:DBA7A528F51870B89AED549E81EF0660F43B2943
                                                                                                  SHA-256:5EE05D3796AB12ECF7F2D32D48D41D2A2A3FD257AD8456A0EBD5E6019492ECF1
                                                                                                  SHA-512:F0643905258D2C09CA0A6C30A0A9AD5AD2FE184A65B7FFA5B7B731FEE8357672B35246626A10B39DF7C18EF1B75328192495685DDF9CD2F524E913D6A2993E18
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ....................................`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95280
                                                                                                  Entropy (8bit):5.998418289121845
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:6iLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7HxlF:/Z0PMcjrgF
                                                                                                  MD5:3AB0B86F5D058374AC789F05FB6C6E81
                                                                                                  SHA1:4C8142A6EA10F48735429B125ADC278178FA0082
                                                                                                  SHA-256:5F773968BD0501D91C4AE1339D248B4F766C39885B35088953AFB1BE6FBCC4E8
                                                                                                  SHA-512:1A6CC62361FDD20A99D9551E677269D9D67B6F4B66C09083E07AE5732C23FFE15A5E687437A16A27896A19DECEB9F23D7614B6CC44445C365E3A59DED1AEE6E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ..............................P.....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.6559468525212
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:wXh+/DtYchNyby2sE9jBF6IYiYF8pA5K+oCGUHFeFl55qz:wXh+tYmNyb8E9VF6IYinAM+oCaF5qz
                                                                                                  MD5:8E2D0F47E477FAE8132492A31B26F1B3
                                                                                                  SHA1:6C3EB7CB1D5E942DC6A62767A701D201E2F69CE1
                                                                                                  SHA-256:7C8CD3B61286AAC09534541EDBFF10618938236830167581BD3E922CA55A1456
                                                                                                  SHA-512:B40EA70361F5AFCCB3DC41D38A4F302AEE00B9AAC206AD2DFBD1591A7722AF732BC820C3C66EA3BC0816D4C98E364D1345077EDC786ED19135659AC91E0CFC06
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ....................................@.................................",..O....@..(...............0(...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):75312
                                                                                                  Entropy (8bit):6.23943595769723
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Tu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYH:KF+qo7mDEwj4NXLGcfgruFcg7HxRt
                                                                                                  MD5:D5B69F2C4F5CB0E7D43D7F6C1C87DC7E
                                                                                                  SHA1:98FDA78C049D650E47C17D9072E82D87C1B59E9F
                                                                                                  SHA-256:6C1325D183C7CC3E516628921005F18BB5A191B0029AF93DFB022CA4C2ABBAE9
                                                                                                  SHA-512:D95C5CD5E9DAC57FA9C5DE8645F637363A5E787A8C521B09BFBEA56D01765F4FC31E4080BDCAD28BBD90FDB9BEE1CAB50E95FF13CFAC728405D87C3EFE3A387B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`.......w....`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):6.4113040933608225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:TQMnML8f1VNPa7fb8LRaIzlRK/usybUjuUY0vZKE8tcqPqZw+I39Wu1FEpYinAMU:T9ML8LW/usybGYVE8mZw+89Wu1e7Hxav
                                                                                                  MD5:94B12931B9032E80157DC27422393FEC
                                                                                                  SHA1:2B762FCA27538B55ACF736F7D65E293E5F15EAEA
                                                                                                  SHA-256:746AD9902D9310CC2F172736AC156018ECD3843BA58C8337DE017074B06CD645
                                                                                                  SHA-512:D943A39FDD74627514818DAF3434BD1ABEB4EE10077E8B10414098DDA2972851795A15CBD4CAD73A67D5171446E4A6D844CDF8BD705E72F34B7DA16678097BE9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&............." ..0.................. ........... ...................................`.................................>...O.......4...............0(..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................r.......H........E...s...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....P.........io ...&..i.X.P..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....P......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):398896
                                                                                                  Entropy (8bit):6.1343664856235245
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:5jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvM:5+e55LgIkTmyAAfTnMLvM
                                                                                                  MD5:FACA1B5218F8EB76963366A6842E122D
                                                                                                  SHA1:41B281ABA7D7FE994EE6C77F7F71042885919EC0
                                                                                                  SHA-256:D779F3514666734455B5B2B7AEB035F7E1D7394CD445E332DD4D236E24D5C94E
                                                                                                  SHA-512:8F350CB3D0C13A701C67749E103B1E07EE1E2EF8EFE71B70CC728F8E21DC02922BAB241CA256695DAC9B225D450623E9F8DA055EA062E336D7F1CD9D2A3FB6D9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1409
                                                                                                  Entropy (8bit):4.992215339808616
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2dNQjY8L2PRRkMYaWcvJ9AwcPGnJg8vQpyriEWZoEs4h:cb8MRRkMVB9AwVbIQdsoEf
                                                                                                  MD5:766E089F9AF0DAD5BFD8B77167D1E0FD
                                                                                                  SHA1:0AD55E6BA596EFEB24867DC9FDCE4B3D2F2D904F
                                                                                                  SHA-256:1D95ED644BB7D706E5B8EBDCB875B23F8B21C62C53C701EB8B3385F770808D7E
                                                                                                  SHA-512:FD8ECF32094577A51579911AC3722D839A7B0874146B909EB8DC944CDB5DA459BFCF7EB64B47EC08F40515E6C38B4C4CBA1F4D9F9EB403E891A8710310DBAECA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<?xml version="1.0" encoding="utf-8" ?>..<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd".. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance".. xsi:schemaLocation="http://www.nlog-project.org/schemas/NLog.xsd NLog.xsd".. autoReload="true".. throwExceptions="false".. internalLogLevel="Off" internalLogFile="c:\temp\nlog-internal.log">.... optional, add some variables.. https://github.com/nlog/NLog/wiki/Configuration-file#variables.. -->.. <variable name="myvar" value="myvalue"/>.... .. See https://github.com/nlog/nlog/wiki/Configuration-file.. for information on customizing logging rules and outputs... -->.. <targets>.... .. add your targets here.. See https://github.com/nlog/NLog/wiki/Targets for possible targets... See https://github.com/nlog/NLog/wiki/Layout-Renderers for the possible layout renderers... -->.... .. Write events to a file with the date in the filename... <target xsi:type="File" na

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):883760
                                                                                                  Entropy (8bit):6.071504659955744
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:V1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQJ:V1n1p9LdRN39aQZUqM
                                                                                                  MD5:17A183A03C34B8EC1C91B3DD0B50E022
                                                                                                  SHA1:7D226520BE51BD71D05D7EB56793233794F87DA4
                                                                                                  SHA-256:381278035C5A8A4668D31B12F0BF3DEC6544E9668FED84DA038A8D21D233D72D
                                                                                                  SHA-512:AD5591F6B90A07C00F10EF19231BB3C766E9E27C2205AB3A32C15B7D0DE0F732A5600665E4302290C771F06370B23E4FF0AC63E51C1F36899F98CCB6BD5F8C01
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ...............................;....`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960370699367048
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:hBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUW:hBA/ZTvQD0XY0AJBSjRlXP36RMGj
                                                                                                  MD5:53D8AD0BCDED36C2EEBD4D3C45A60BD7
                                                                                                  SHA1:9289840CB0518AF183BB41AB05428A6415B92AAE
                                                                                                  SHA-256:07A068EF96EE5F447282B42B1818FDFC372B674893E6742A5F83DDBC4DF13ACD
                                                                                                  SHA-512:41B19112B6CCE405E16153354223F4AFF548E9F55EDFDC158588E78D9EAA755E10865D7220B916EC14DAB4181C55C005B161B44AC011419EE85EFF5F65975523
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):284208
                                                                                                  Entropy (8bit):6.11766612253341
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:IZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHex:Ogo0WPVTXgk
                                                                                                  MD5:D1BA01295CAEFA1F00261AAA943FFDBC
                                                                                                  SHA1:54BE9D6F121721542E1B563804766592C9EBF14E
                                                                                                  SHA-256:F425945B4D1BD5D65776EE4FF4330F33947692EA5E797EDA3103B6E380196BAF
                                                                                                  SHA-512:DFFE1F15F635FD9C083B51C66DBE5C5C9B16516B8CA036B262765279FBF01FC521D10AE31288CA3FB5DAD4F8B6E744DDA33FB8698267C40970DCA9409178E067
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.678784612747097
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpx:tuhMaVmzDC67EpYinAMxCJ
                                                                                                  MD5:35082EAB5825C9A9D021B5B97BE382B2
                                                                                                  SHA1:4716CBD843C8A2A1AA7ED7C95700672E9A863674
                                                                                                  SHA-256:B91E3FA4C89230B668EE2DE7D6824DAB708B981F1AE94E734445154BC8A3F6EC
                                                                                                  SHA-512:9F0FFB52E060910662AE7AA020AE836119BC609B3E0E9367C7C9D2F2975FC1DDEB1EC1B2F708704C22D666E778B787679BEE5A3CAB5868C09CCB5B57C9026BA2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):97328
                                                                                                  Entropy (8bit):6.2419469146373485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:3NSbHB6zBedWp71O37rGMsQ5gbDnTE8iayI2Sf+Ku6JhbDEhr4WTJ7HxQ:3N3OWMsQ56vd2s+KuYc9RTJa
                                                                                                  MD5:9F59EFE4EE7BFF13F5866311048A6A80
                                                                                                  SHA1:1F20929EE2BCC0BE40848CC739C6F31CAD13DA69
                                                                                                  SHA-256:32FB947BAD722480938922DC363DB76AB0079383C6D732B4998C302B03D87200
                                                                                                  SHA-512:CCCAAF2396AD1307AF0B51B424005BFB350508059CD9CF3E9641D396CCA3EC4C22EFB0329DF0AFD0B3888E07559B6904A0361B85A80A527CD3139161CFF91DAA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0............" ..0..J...........h... ........... ..............................P.....`..................................g..O....................T..0(...........f..T............................................ ............... ..H............text...4I... ...J.................. ..`.rsrc................L..............@..@.reloc...............R..............@..B.................h......H.......L...............<^.. ...\f........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138288
                                                                                                  Entropy (8bit):6.17954530016547
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:G3XFz0qjCIPMAxlUXUKoPfw0kG71AHK7cnO:U0qjCSRE+fw0kG719
                                                                                                  MD5:6D055BBD0463057997B216FA41FC1BAA
                                                                                                  SHA1:0E3B5685453BFE674252EEFE7B29DDFFE3394F36
                                                                                                  SHA-256:94571C1156471E113A0BA58686D0E0F8C8A18B7F5415A17CC00688D6901D6DD6
                                                                                                  SHA-512:D3D1FB3588D4AE7279244086069DEF2145FDD341099BD66B801CE1F7EB18F4F68B0043D3CF4BA5C8FA3FA680EF228C3371743AF1E9DCAA64711321EC6A94FCEC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6wb.........." ..0.................. ... ....... .......................`......\.....@.................................?...O.... ..@...............0(...@..........8............................................ ............... ..H............text...h.... ...................... ..`.rsrc...@.... ......................@..@.reloc.......@......................@..B................s.......H........ ..............\.......D.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.673983708245621
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Oh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBhKr+:Oy9eEpYinAMxCAcr+
                                                                                                  MD5:351EE6E0FBE6951D43F195DBFD34911A
                                                                                                  SHA1:2FAAD5BD1D08D9791C941F6F01BA41473C12DD1F
                                                                                                  SHA-256:8B4AF4380F5083A9DC11F5E74FEA942A34DE4AA3740EE0DBCEF92A95AFD656F6
                                                                                                  SHA-512:00A0600E0E4541058B8FF5A7314E0C2779B5BA5E3F9FBE9F15556E84D84D8B3C0317116B29A832CB038457EF6CE1FA88149C18E7DD33D27A3ADD3AFFAC5FF9D7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):468
                                                                                                  Entropy (8bit):4.985090596968988
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:aILFkoALoRgOX97ZeTyg3ALoRgOX0UBgXP2Ym8p3ALoRgOX0UBgXW3ALoRgOXypl:hLFkLIg497ZeTZQIg4lSPPmmQIg4lSWm
                                                                                                  MD5:695A4F3297FC96B83836181871658768
                                                                                                  SHA1:AE55A78C3ED8D5C8228DD694B8D4E54FC800B876
                                                                                                  SHA-256:8F0445E60D44E18549F08A860C22CF026A8D0063973E06A826CA1C0C3C4635BF
                                                                                                  SHA-512:29BF456B3A21E7BE045DF8B864A0BBB257DBD4C9ECD3A1BC897F64F2B6DB383BCA921C06AC9437CDFDEC7199A846CE809908E0DB00A42452F5107271521F9AEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:2024-09-04 08:59:55.9760|ERROR|DotNetInstallationArguments|AgentPackageRuntimeInstaller.Domain.InstallationFailedException: DotNet runtime uninstallation failed. Exited with code: 1618... at AgentPackageRuntimeInstaller.Infrastructure.WinDotNetInstaller.<Install>g__TryRepair|3_1(<>c__DisplayClass3_0& ).. at AgentPackageRuntimeInstaller.Infrastructure.WinDotNetInstaller.Install().. at AgentPackageRuntimeInstaller.Package.InstallDotNetCommand.InstallDotNet()..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):342355
                                                                                                  Entropy (8bit):7.999222579004313
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:6144:fLe4N0t70oZhKySScszMVqdFYU6cm5w8rsKYIGXNAYpCvMgZ33c6Mg3rRSw:fLe4470+hKyJFzKqctcm5pluXWJvMg5t
                                                                                                  MD5:E27812C62B44D50108046AED9727CA73
                                                                                                  SHA1:8B8B8B6D7408F90276D316C6EE87C8C3D4709D60
                                                                                                  SHA-256:9EBC30153A86EED1F8785709B941B6141AEA67F7E2483CBF2ABBEE556E873203
                                                                                                  SHA-512:89636345624539C81394694F3ACFC308ED97A5331ABF1035E4AC983DBAC18414151D6346171CA7FB0FECD1A53F16E0A7B66CEAAF9736C30475B1CE98A0D2D402
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......C.Y.#-.........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....0........n.......{$..U>...M..._..R5|..S.-,.8..VR.....l..y(.#...W:.'iX.. .......p......iT]D'...O.v@.Z5.**..?.b..i..v...{....oC*.UFOG.k.Z.Z.....*.m..fN..B.....yY.#d.z|#.-.DF.T..G...._EV4>/0.2..].....r....Z. ...!$a.L...r../.L...|.........|W......SE....i..^....'G.."Jv....D\..6.....z.nX........*u.J.!L[W.~..fzH.A....R........3...1B..^........Xi.N...h)..r.`..Q...6.....b{.0(.m.....3i.F.....=.!.6{....u.......n..y.\g.'.P......aKc.M...}(.....+D.Egb$s`(.l(..>...VOn. =......".....6...Z)}W{.,.:0vl.[K.i.Fw>....=.I.Y...:ksU...f.>I<...iP.N.......P.."ww[Cd.OORJ".f./B.u?..l.2h.t1.......<}....(E.\a..9.~TS..t..60i.{..a...........8.z.N74....m.rb.h.3.6bc.H.9p..SE...B..a........Q,..v...Q..}....._Q>'7.jV..CI!3..).NzKF..$.EX..o.d.../.".$".1.....g.v...?.~.n..p......# ..re..9.E..b...w.'..]._...7-.J2wB..%.....-|.u..w.].Ya.B..9......-..J.P.>v1..i.i..B.g..oF.d...a...D..#'...o<..P.....+....._..v

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):73264
                                                                                                  Entropy (8bit):5.480932323340301
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:SpfpyM3uykm7XvXiJQd9Sy2pJoUvAfuc7HxeX:062T2co
                                                                                                  MD5:00A4D22D776D110ADCC63F0C567131C6
                                                                                                  SHA1:88EBB71C2DDB4733F10107B35AAAA3FBCFA52473
                                                                                                  SHA-256:01DC7B7F54222FA9494BB76A61D81A793A232A39AB2C07E2F0BD12152441F5C0
                                                                                                  SHA-512:B80264CF36B749985E3F03FFB5BC47C07342BEA27D547AEED28999D0D6E4F9A207DFBFB0DD2806D5F483A857EA9076A07BF51EE6D87144B6FB4347A829E5DE78
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.........."...0.............B.... ... ....@.. .......................`............`.....................................O.... ..P...............0(...@....................................................... ............... ..H............text...H.... ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B................$.......H........C..L............................................................0..........(....9....(....~6...%-.&~5.....z...s....%.6...(...+~7...%-.&~5.....{...s....%.7...(...+~8...%-.&~5.....|...s....%.8...(...+~9...%-.&~5.....}...s....%.9...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0..r....... ....(......i./.*...............&.........6...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):541
                                                                                                  Entropy (8bit):5.097123194334321
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                  MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                  SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                  SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                  SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.418295834054489
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXXLUn:WBXgn
                                                                                                  MD5:D97129F80E5F51DF4BC807C70026AFD1
                                                                                                  SHA1:B83B2AF5910230202F77D5665A1529143191C1FB
                                                                                                  SHA-256:815491D276BAA5B6E48C5CB43A85F777B7308BA791CE354F4EFB0DF936F314C1
                                                                                                  SHA-512:C730BFF87F8CA8EE7A78ADCEE7A3EE87BE308DB3212535CECF067B7FCABCEB7B558CD5E0737D12C95C86BA862A43D95F21CC82C1FD423C1DAFF246129B46C853
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=22.1

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.1807776376128585
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:5Jt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7HxwU:5QUm2H5KTfOLgxFJjE50vksVUfPvCl
                                                                                                  MD5:4DAA19F0B5C29DDDAC45AD19C63E8D6B
                                                                                                  SHA1:EA97E4FDC567CE6EC439E11533CB7E1668B82E8E
                                                                                                  SHA-256:F71FBE9D385D713F2833798A5141F3A74C6261980E64C5E59E1DB81C520F73D8
                                                                                                  SHA-512:2BABB207DF5D6A9391646906E6FB52ABC6644F14B846FD3B47C8D793B6EC236BDE3872A958DF63EDAC201280919D4A7F7C129313E9B1711285456508DC35D517
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................e.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960797168894863
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:kBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUw:kBjk38WuBcAbwoA/BkjSHXP36RMGF
                                                                                                  MD5:DEB13F3C39F77E4D6CEF5D7A53165178
                                                                                                  SHA1:07970FCFFE5D4CCE3DABA1305011573F3744492C
                                                                                                  SHA-256:4DD53ACB2324704EDC4125AB72F4C235780B8480F77EA084FA53CB57E0346EEB
                                                                                                  SHA-512:8C96E007DC027E5359819C85CD8A349333462919D988F82E4F4787F37BB49BD499E432EBE03A79E75E74118FEBAEBE430C2B2CC4E8029D2E9F796C77CB5F56D6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......e.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):86
                                                                                                  Entropy (8bit):5.099067481592591
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:YhKSLJf2B4VXaQjRRo5PJtFHnFSmu12SYqY:Y5fVAyRajHF412GY
                                                                                                  MD5:474E8E9B9A7B3E4F6AD08128E0F55B72
                                                                                                  SHA1:576F5988BB5BA7936B13F2836C190FBD61C37488
                                                                                                  SHA-256:1ADDE6FB11D026F8B8A767EF09D8CD08B1B6A5CC54452DB61ACBE8CC9C62BED6
                                                                                                  SHA-512:58B597AEBEFF7338C8F76BB5CF0E6A6F7133B6BB8079252CCCC952FD229B8D531C95263AC5E831B9EFE63E0F87149773341470C128956B55524FB258702A7579
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:{"DownloadedAt":"2024-09-06T05:04:17.3451494-04:00","Hash":"fEkCdzoZBX2gCqMMPS7yZw=="}

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):88
                                                                                                  Entropy (8bit):4.938719801785007
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:G2vRiFcjE6LGKWqKRLXsmfWoVUgXAQJ:G2gu4lKWqKRLX/qK
                                                                                                  MD5:245E5EF85FB787D2DE01D595EEDDA64A
                                                                                                  SHA1:BA2305DF7541144A8522FB3AAAD283B8BA5447A2
                                                                                                  SHA-256:5BD506901D48250A31B0B6C6B8B5B5227AC382CE45F02B96EF9F54F37A8EF513
                                                                                                  SHA-512:9A30B4541F5B845564A21B61C1154206F51526DCF757D30D9C986A8954436FDF93CD507BCA4020784ABDB99BE4AAAD7C64941E2A5B195695CD21DB49E9319F84
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..04/09/2024 08:40:36 Downloading installation to: C:\Windows\TEMP\SplashtopStreamer.exe

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):637958
                                                                                                  Entropy (8bit):7.999354686674398
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:12288:HVd5b8dhfpvZ3U9ygocoFAdF4r0el92pBW/wFIlzxDFBLXJ:HFbyhfVsySoKdF6D2pswmlpXd
                                                                                                  MD5:767D5DD4AD2D6A3E0FF3E45DB47A9657
                                                                                                  SHA1:982A2AF2C94AE33CFB240A30A1C6433E5E5689DF
                                                                                                  SHA-256:156218F309CAF003096CB28C2FFCD74A0989E4FD0207E485A3292A4D8D1C48ED
                                                                                                  SHA-512:E8104B3622BF07059131F3F0A8DC9EA44C7B0E32213F534AEAE229F000B01425B72955197DC776F1B5750FAE2BEAAE888A2EA1D62B1630D3FC5D79B4C57317D2
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......5.X..j.........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....0........j.........)+{rh....k_....z.OZ..@bN...#....<...-...H\.\...>.w. .%.3@..x.......L].HQ..<b.. u k..<..;Q.Cc..~...D...f.."Ma.....1&6...Q...&.o.X...r..1.E.I.:.N.g>_.d1.v....a.Q%..vr.d.q.&....w.6.|......h.'o.f.9GV.g .ac.u.Y.o.......sw......*/`.._h....v...0....C.z.."vU@..m.....i...,....-.x....N.,.36`.#k/h......=.`...H...]....&.....6F....wNH.......W,.[?.<;n..J.i....xX...~(..kqV:Z.k.U.$U...h.v..".....Vx....F.[z.....j.._8.M^).E0.D.........B .\0H..v..p.-9..'...Y...=.[....ja{`..*&......9:....C.....sz+|..JQ.../....D?./y..`)T.%.......<nc..w#.......7t.#...A...>t....@..!A45Y2....Y.......38..c..sR......E...7....\.....I..M.....V..IXG=.a..}..H...r..eF......>.{.FFM.A.bm.!b......-.....Wk..z..P..An...D.M]RN...I.).h....].AU\.6d..u.;-..7....g.*....M..[.?..%....d..wZm0#...=......d".Eu......5.>.....$..b..n..V{...a..$..l..|....~:.s....H."....K.lK.y.|..ga.0f.C.."AQCu_.......?N....K..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51248
                                                                                                  Entropy (8bit):6.297269575035048
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MNb66jeKAdzF2a11sxKN/NEQDg8vM2j7HxqW:MQ6jeKAd5b1S2/NPBU2jR
                                                                                                  MD5:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                  SHA1:3F78C454CC72D4C5B2A0F295530391904EC87948
                                                                                                  SHA-256:50F399A3867DEAB18530F8F3E72D489A15F62D6E250F4F795C7BB735F9522899
                                                                                                  SHA-512:D57C6A799C01A3F67AFB3DDEDDDBD49ECFC17C2347BEC24ED85207A846547F6288D2023961EDCAB67DFC512E0B1DA187C475A7D01BB1005A61D337EC4FEA0FE0
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..f.........."...0.............~.... ........@.. ....................................`.................................,...O.......`...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................`.......H.......pB...p...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):973
                                                                                                  Entropy (8bit):5.01886272205883
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsVPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3s77O7Rgdsg+w3Sg+78w
                                                                                                  MD5:3CCA9B00717A374829CA50C82C1E70CF
                                                                                                  SHA1:357729D1CBFA36318D8A91BDC8C039E254A7CAA2
                                                                                                  SHA-256:4161C6070CDBCB94718A6E76931AE38CABEBB70E5B00C55E799E72E61F0ECAEC
                                                                                                  SHA-512:C172CF13115FC724799C50218F00A1055FA84DEC6B9FA28F7C981DE94D4DE64CDC7797E903D4E8B87CA2FAC535B62EB395E372656183C75F42E7086598C3C435
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXTLd:WBTp
                                                                                                  MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                  SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                  SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                  SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=26.8

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):102448
                                                                                                  Entropy (8bit):6.190977882973481
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:VPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxo:V2bYbYSWd85I5sSakFQhHL8i
                                                                                                  MD5:6C0E7E9151E242E401EEBBC13558E3F5
                                                                                                  SHA1:9A5963712AD9E0F336A4749E7C258A67EF6260FA
                                                                                                  SHA-256:77D6B8CB94B6CF5B399704C3CD5877211D99FCCA58F94D120998FC41185D0E0F
                                                                                                  SHA-512:02E5E5FA52BDA5CFF5181196C6A62913FA87D6675CBA27FBFF3D0C50F305BA4CF8D9D8C4016EDC90AB1513BA39D89B50566BFF4D05585583EF03B8AA17BEA793
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16432
                                                                                                  Entropy (8bit):6.857474166817892
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:w9c52LPirPW94/DNyb8E9VF6IYinAM+oCOX3lq:w9cym2KEpYinAMxCg3c
                                                                                                  MD5:E1AA9E74F8E36783187BA548C26A1D95
                                                                                                  SHA1:52FD9D58877986DCDDBDC5C1DAC6825C5720A4F1
                                                                                                  SHA-256:CE46D831129B265740E521A614DE1F2BEE211F350FFC9643407C75308E1DBE06
                                                                                                  SHA-512:B2D79FD01D4D0BC3CCFFCD62ADD4BC45BB25561892CD23299163EDA10896249F53FD966015B7655C209B33EE413C10565D51861298061E3886B43E77E59ABDB2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............-... ...@....@.. ....................................`..................................,..O....@..................0(...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):542
                                                                                                  Entropy (8bit):5.041389931890446
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                  MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                  SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                  SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                  SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):398896
                                                                                                  Entropy (8bit):6.134467211026903
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:WjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:W+e55LgIkTmyAAfTnMLvH
                                                                                                  MD5:6C03B5CEC0E3BFF6410B020CAC7EC662
                                                                                                  SHA1:DE5C6B33A97BBF0B3063CF44DACE307FEB968BF6
                                                                                                  SHA-256:05C2739F2AFA9A05514CD75C12BE6C0CD73A8356A28B3FAF84140FEEE416F339
                                                                                                  SHA-512:06900ACBA446F813E8181E42A0713B5BBD568068960DD0620C4EDF0F3C096E4C8B409181AC8FC51A24F638E37F908B6212E22DB3799107B51578B6853A8E60C0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......u.....`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960755198774021
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:eBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:eBjk38WuBcAbwoA/BkjSHXP36RMGi
                                                                                                  MD5:FA365D16F9EB02769CE0ACF75C31C832
                                                                                                  SHA1:F83D3F502E92DAD01574D16FDE5E7CA81C53A5DB
                                                                                                  SHA-256:63A690F6523922CB55B065764ABA61BE69F11AA93C8437C01485BCC4AC182F46
                                                                                                  SHA-512:E26E077C0C5806B3D4E1ABBB06087D08921CF6A46FA700343AA373213180BF9EABD7822CE418E24973909A515BA5B73DD0902402020E5A4AC56D387E378C4AD8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......n.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18480
                                                                                                  Entropy (8bit):6.708180254980656
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1qPstMu7M72kNyb8E9VF6IYinAM+oCiSFDKJup:1vMuo7/EpYinAMxCbeup
                                                                                                  MD5:C9A5D57AF074418532A591B4443AD16F
                                                                                                  SHA1:4F99922845AF05C64B36BC71FD34468683B389D6
                                                                                                  SHA-256:322D41E1890A28359ED05AC7C3973C2CA3532CB77F8D0646B982A76FE0A68EE0
                                                                                                  SHA-512:461CCFF9F349E6F8BE27F50C54464CA65AEC23DF6C4DEFB5A4AB085F8239899CE88B2C0B2764020807826C92BB2F757DCF39733721595E80C2AAA5A75718D9B7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..f.........."...0..............4... ...@....@.. ..............................8/....`.................................d4..O....@............... ..0(...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):500
                                                                                                  Entropy (8bit):5.044946190927216
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGp2VOD9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsHPF7NhOXrRH2/d9y
                                                                                                  MD5:5EF8C402347FEC5555700DB9D649C349
                                                                                                  SHA1:2E70D02943060011AF38D9200B3461206F56933D
                                                                                                  SHA-256:718459DA91EB82BD0ED8AD24CC3EABFCA61D1B5C1D9060111F85CC7D84BADCCA
                                                                                                  SHA-512:F2650D2C604459E674810BDA95C37D3FE7747CF67B5736C4275DA91576B36F3FF882FD3F8A5F0591CDF335E935DB716BE827821333297F719C26B1152BCB4D6F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.676917265704932
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ty/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOqpodH3T:tuhMaVmzDC67EpYinAMxCWH3T
                                                                                                  MD5:F2016790A63364276B5DE090FF0D9516
                                                                                                  SHA1:C99BDCCD05A8813E6DEECCDFA0FD675FDC57A488
                                                                                                  SHA-256:662DC69A05611BEA25F993F4D249C83340C2F468E9564CA625027A1EA9C84E9A
                                                                                                  SHA-512:41CBB8D586AEACC6E9C156561A4C92EF30C3D50B8D4A91C2A0A41E186891C61776E102AC5DEB95A854C2241734A854320B49A0E0A05F20ECBCDB8A0F7E55980E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ...............................\....@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64048
                                                                                                  Entropy (8bit):6.268502105017609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:BYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1JEpYinAMxC7z1:BKC9niwOepJ6TJPeb6NIUy7HxUz1
                                                                                                  MD5:9B1EA8A460CDBE957FD464E52CB74F9C
                                                                                                  SHA1:34574DE2F45BDA8A68F49C031A80476D6E6B711F
                                                                                                  SHA-256:41046ADC0E23A6A673C6DDD890C4B43F21A615D470886D59FC436B09B994E7A8
                                                                                                  SHA-512:A99E6C7829C4B6994E8AFDB4538DD8954DCFF96F2C59D62FFC91DA2E833F777F870A2F55A60CADBBED97ABA0F6411D6D40DE33D295491B2AEB45CDC51D485003
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@......*.....`.................................k...O....... ...............0(... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138288
                                                                                                  Entropy (8bit):6.17978189203311
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:2P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IlU:2h0qjC5RMOHO420kN1P
                                                                                                  MD5:8D61BFC6E305850F082B2A4FAED267B8
                                                                                                  SHA1:543224920E68C0C7B28C9411ECE8B9F8EAFA7DE3
                                                                                                  SHA-256:B7EF8E721E39ACE9C8C4B4C4490AE5042634637D24DB4A70AF33D29DC4EC5C10
                                                                                                  SHA-512:6AA0C22B6CBD1942AD74386919D8E4F0F69FF47FC97103BDAD3FE029E9137C51DAC70CDB84275AE779965E461BC992DE96028B92A3DB8F0D26B8B53A547CA09E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......t.....@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.63676850357766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:7TO9dQWXYW8aVNyb8E9VF6IYinAM+oCJF08IoP:7Cn6CEpYinAMxCk8jP
                                                                                                  MD5:F6E07CB084C3B287E2D2525A597A4D0C
                                                                                                  SHA1:E9191698963EA0613747BC24842DF8C37E6FBE84
                                                                                                  SHA-256:D24366C19E9DFE77B7EA94546F336F20CF8F574F838F68EBB2179C6CBFE4F25A
                                                                                                  SHA-512:5AC38F55D0045BFDB9951154E87ED30E98B200C148897E7BD3C19BEFDA634437A1EC5AA2088CE99F0E17644069EEA93E97AE1DA00DB5746C4784228FE35E1725
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3209582
                                                                                                  Entropy (8bit):7.999885821468103
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:98304:mYT7qppkQy3jVGaPu4pyK6DrwirLgYf/K65Ffa:QprpwHQ/JC6jfa
                                                                                                  MD5:0E076C0A015D1F9C35BF5ED608CFCF12
                                                                                                  SHA1:33C40BDCAD135469A7FF3CFEE203181153189222
                                                                                                  SHA-256:0F36BBD5AE45683A37A3962941BDD0DA9F278A6BEAF87AC8F8091C6F85157A8E
                                                                                                  SHA-512:A3FDB8122208EA4FD629F0DEE8F4F6286A08DF8F7BD567645734C85C035E6C5EF846E4D163378742D4B325987369920C65A23E0D60AE0626CAE48ADAA4EEECFA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-......^.Y.M........../...AgentPackageTicketing/AgentPackageTicketing.exe....0........H........_a"...+>5$..E.7s.. .d..Y.................[.R9.0........N...=...@...^F.....-)l#.".~...Q.....\`.]v.......6..f.8@.......D.n.~Z.7..j..>.03.xv..>..A,LG....f.F. ......5Pa?...03.Z.}...k).......8.{/...r.m..E...%..[.I..;.-....q.%]..f\.Y.............N9.gQ....x,..)....c...........S..)6v.Z~....RF......q.Z.C.(.6d...,.B.d...h.{W..w.Q+Z./.,Z..Z..\..$.!.\Q.u.L..-a..x-..:.=?......~.A0t^8....[x.o.R....J^...h..X.Q_...>./=.l..@J..ER.u..%^S.M .v...D...n.+.'L.....&..n>.u..@.z..K.^..V.'.......w].....4...5...]F........a...#C.}...O.8..*vj...t..cO..rl(.T..i.....6..^..m.....5F....H...U..2w....l%J.......y3.PG......U^UmE.*N'.Y.0...Cq>....\..z../....:.Na...Svf....."YDa~.,.._.F..be....{.....V...1i...n...q..ge.X!.-.A.....X..Q.I....62...x.T,..G.....x...q.t.......JH...Y.!.._.9..".Ff.ua.L.a...4..^....u.B.o....[..^..hozX.......k.C.....l......j...#1.J.....$......_./K.......V....<..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33328
                                                                                                  Entropy (8bit):6.282134223933925
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:l7MUZ7pWikfoGh5yd1pjJpO6HRjBMlYCENyb8E9VF6IYinAM+oCVXF9:yUZlF++VFNByYCkEpYinAMxCJP
                                                                                                  MD5:1EB3651F13B9CFC3D055419FD7E51BF0
                                                                                                  SHA1:ABB29CA7B52A3732FA72B1DB4FFE5D24DCE2204A
                                                                                                  SHA-256:CEDFC67FD7A2D7F81241BFCE8770FC8685D32E208A08AABCB1760613A637D65B
                                                                                                  SHA-512:2B72959A0E315CEC376F4BCBCC713C7F1131EB464D53FC7EC36FB5C35E88F50B9008B8DD99644791D0942C78B4B52918655EA8A3CBDB25DE534D778F8CBB346D
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t1.f.........."...0..N..........Jl... ........@.. ..............................A.....`..................................k..O.......4............Z..0(...........j............................................... ............... ..H............text...PL... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................,l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..t.......(.....(%...(....,.*(....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1062
                                                                                                  Entropy (8bit):5.04288182607063
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:3sIk7O7RgdjdgFSagFw
                                                                                                  MD5:D82D26318224097C2B13F43E879DA855
                                                                                                  SHA1:4626369E38B4505371D1376FB9A50B401B21A7E3
                                                                                                  SHA-256:1BE14A97E8F1FFC962C060B76FFAC47298D02680F235097CABF378EDB3EA34D6
                                                                                                  SHA-512:5E3B09D12E5FEFB6B82DB7E19A3D856D02C683B211F18CEBABC0A6FBEA9B3E84BCFAF414C7DF043F986F78A85DB8A22D4584DCAEBE59CDC0A527D7636B31886A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.418295834054489
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXdLXn:WBdj
                                                                                                  MD5:C2FFE395A4BA7255C274F9BC8143BB5A
                                                                                                  SHA1:4A51946866C226A26B0B1BDC52C23F95B3CA414F
                                                                                                  SHA-256:C5C3F526589EDB0F9285DE34F13893B7A704EA5B93DBB8430C086867BE9C4D3C
                                                                                                  SHA-512:2CE60DD77BA2210E27BE78EE73207400B3E5078C85017A460E8E0A64BCF1E165E15B4D8B96C8ABA01B5CB661FC3781B735A327040146E291A290B4FFBB2B7798
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=28.2

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):99376
                                                                                                  Entropy (8bit):6.189117557062166
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:DlAttsLnppOphwrfNIkZP0kLv+ghDBzmItlVYlkL5ihaO40QhflQCxhB7Hx95:DoESpOPptPkW5ihaOdQhfhBJ
                                                                                                  MD5:3A9175AD769D52B6AC5BC914D5A14706
                                                                                                  SHA1:067DAF8C5929A0A5A1370A7CEF27C3C5353C4EFE
                                                                                                  SHA-256:93D40DCEEACF2CE1E34F9F23DCD622A54C1E3A2B6F87BFC3A9E6AB366C430343
                                                                                                  SHA-512:BD9DDE88F2E46F0EBE8C5C85B9A4B289655A4DC3CBEA8303869F2C4DA5EB4D69BFAF5EBC5666371BF90227E974C5BCC70AF7844E207C00BCACAD60A24B2ECC6A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}KMe.........." ..0..R...........q... ........... ..............................Gn....`.................................<q..O.......D............\..0(...........p............................................... ............... ..H............text....Q... ...R.................. ..`.rsrc...D............T..............@..@.reloc...............Z..............@..B................pq......H........o...............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):145456
                                                                                                  Entropy (8bit):6.203607839046975
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:BRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIh4:39XeDmzV2yzlhKLFU1lLVp1+2flYFsvR
                                                                                                  MD5:E38C881D1464650E1834D5A983537C9D
                                                                                                  SHA1:F47AEB4417E11F706DAB036B7B6567DC2CA2D350
                                                                                                  SHA-256:8E50429E4016C751B2628EA7CB8C3B824894B8FF99315C481DF9076E21571F7A
                                                                                                  SHA-512:5A226D613D13AB39FBF8FFDFB77909BBB352C758181F18291DFF16DA0A0FA892C49AC3A5396DEEB4BFBFDC4766BF207EC142FB918EC18953D732265C3D303126
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ..............................R.....`.................................#$..O....@..|...............0(...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29232
                                                                                                  Entropy (8bit):6.673153419184804
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:YmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF61Nyb8E9VF6X:0SJh5tIYQzT5zyF6REpYinAMxC2i
                                                                                                  MD5:D2EC19E81C393064B8E6603829731B55
                                                                                                  SHA1:DC11DFD8E7387B1ADFCE37195EC028CECF117C3B
                                                                                                  SHA-256:967F94E3F9337C3E4E91291472F55F30D90A21680471BB14C5DD0ADF487ED214
                                                                                                  SHA-512:7AB8464BC39EB4344570EB46DCF77B76E462A5ABCA84B63BECF8827BCB005550C66CA56A7FA59CBE455635569D43481BF1F8F15660D446147182093A318C165B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ....................................@..................................`..S....................J..0(........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):219184
                                                                                                  Entropy (8bit):6.0632759727462195
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:hYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhlf:hYqqbe2CSod5dtM8ww7P7
                                                                                                  MD5:D49764A8600D87CA5CD10370388BD696
                                                                                                  SHA1:A58F52527490E004C2CE933C01280CE31372958C
                                                                                                  SHA-256:5B0E2A86A7738283D0F849E143D8592DB60902EFA3612A7213030517EE4F6F82
                                                                                                  SHA-512:696E0767AFB2A8C7F67DF10AA75F10D7A46CEB56FB68103A83C24A5D8ACEF5FB6A02049F128613D832ABFEEE5224283AD15C1C62043809218B6953155A98DC1D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ....................................@.................................dF..W....`...............0..0(........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):320048
                                                                                                  Entropy (8bit):7.048379732590212
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:bkm5mx115y505H0jIfJMSFk9X0jIfJMSFk9x:4YwJMykwwJMykx
                                                                                                  MD5:1B2398AC75EC999551F210EE25E73D80
                                                                                                  SHA1:B06D53E70C8D615929B7FD5046D9AD169348596E
                                                                                                  SHA-256:D418A54E0A0F328142E535F9A8059A4231A4221B893D972A33BF19BBE3D606CA
                                                                                                  SHA-512:3D4B88C72C23053FD87B0523920EBBDAE2389AABDF0D4D3E1DC84B859690656E81EA6FF24E6E39B5BD7432311FFE671100917E564DE2886B4EA4E060C1144713
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............j.... ........... ....................... ......U`....`.....................................O.......................0(..........p...8............................................ ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................K.......H.......pd.............. ...P...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.sA...s....%.o ...%.o!...(8...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..w...(*.....w.....(+......&...*.*..........//..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):432
                                                                                                  Entropy (8bit):5.0141792226861375
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                  MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                  SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                  SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                  SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215088
                                                                                                  Entropy (8bit):6.030752183708582
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:61uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sv:lIzm6pOIgvr7m
                                                                                                  MD5:E7D063B516461FA20708685B36587C24
                                                                                                  SHA1:316E0AC63DCF4BDC05B95BC2869AF251D6F5E4A1
                                                                                                  SHA-256:B5A42D67662DEBD7439508349C8EAF890751A7FA518F96D06A367DD84B72F5EF
                                                                                                  SHA-512:60F3EA915FFEA396615D0367FB7BE006FDD9DE0BC6CD88EBD0859557DE3CF108E70C6E9DC5469F52AE639A0D4C91F40242E10BFF593D218D72C268F0CF31CF5C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):398896
                                                                                                  Entropy (8bit):6.134299339779951
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:ljS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvV:l+e55LgIkTmyAAfTnMLvV
                                                                                                  MD5:89CAB330345D19AEE94333317B641305
                                                                                                  SHA1:2617ECCB48859CF8EE84B6355351CE7726FC2133
                                                                                                  SHA-256:EB8C2915FDFE090607B2FD0637B2E73717019408BA6F577939659B118F8E485D
                                                                                                  SHA-512:5E72059E1E36529BD004D48D56D65C626A885413601610C74E858F3CCE073AD9A03E45E055E1E62F4B0EBD194C12257DF6375C402CE9B5B194F42B1C8A55DC80
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`............`.................................v...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960800163691142
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:FBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU5:FBjk38WuBcAbwoA/BkjSHXP36RMGI
                                                                                                  MD5:B6AE9974A69D921763BC32A8B5AEC8D9
                                                                                                  SHA1:4AEF0FA7A0936871005D5E0C7CCC1501123BE285
                                                                                                  SHA-256:9D07B0955E2CB803DC55952D6969C40A9498358A0926577F1C1F8DFAC6729966
                                                                                                  SHA-512:3D646921072564364ED35DC065750110E303D9F50476A8D457ADE6ECBC4EE57CF2A46242D633545DC72E1E0EFD34589581B8C699932475DC91480076931FE81E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......\.....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):154672
                                                                                                  Entropy (8bit):5.990920439412128
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:N4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otck7h:N4wZywKn/U5xEwKIk0WPh
                                                                                                  MD5:27E53A2322C363CE163DC08BDA5847C1
                                                                                                  SHA1:DD738D980470DD7A7491A4D2934D667B1BFFD1D2
                                                                                                  SHA-256:CEC3910D0EAD3F1E759449AAC5A3139E2053964136F863A8AFD58FF4213A7A41
                                                                                                  SHA-512:DF87F87213E062A8210759D5E60D6FEF8A4C7B237081351EC81988C6CE2073C8CFD202B40ED759B4A62F830EAB1E8ABEB656734D444D03247B70BF42BD39573F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ..............................<.....@..................................%..O....`...............4..0(...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22064
                                                                                                  Entropy (8bit):6.671072837354353
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vrMdp9yXOfPfAxR5zwWvYW8avNyb8E9VF6IYinAM+oCAmx:vrMcXP6gEpYinAMxCD
                                                                                                  MD5:2BA71C896B6FF633B4B5F41FF6924B1F
                                                                                                  SHA1:0DC25A378BB9E94010262239346C417A896C0DC5
                                                                                                  SHA-256:B8BDEE72A436A698C7F6D4BF524BDC4F689E9B4AB6296BB67EE95DC88E8CEA0C
                                                                                                  SHA-512:FC993028523659CADB4204AB38FC5961490ED27FA4FE9FB8051403B18E0DAD4E471C4698DAA193633F178848F2C43AC75A054B223E741343F0E03FD7A8435494
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................!k....@..................................B..O....`..@...............0(...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):420400
                                                                                                  Entropy (8bit):6.109698545052421
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:S5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFt:SpjblhW1N
                                                                                                  MD5:F60DD190BE421049E9783FFE4E11C751
                                                                                                  SHA1:3698AAB28B827850CC2E9A92AF48D96288713814
                                                                                                  SHA-256:176E6E58FAE82EE57538399D4482206065215B420602FCDD5B3FC2AD23E7BA93
                                                                                                  SHA-512:0965B2BCC83F19D43A0FF1A9E5719AA112BB233F4FE6B16E171B6C8B7EC833CDD10724346CD427EB74E20166EC8C002AD5E0D4244FD2F637D7A9C47E1A8EBF19
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ..............................+.....`..................................T..O....`..p............B..0(..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):142384
                                                                                                  Entropy (8bit):6.161829681988026
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:6UGrszKKLBFa9DvrJGeesIf3afNs2AldfIQy:NBFd3/aFs2n
                                                                                                  MD5:588827F33A62E902C04EA7FB95D9F84D
                                                                                                  SHA1:31D4D3C65146B942A3BC8F293706EBEEFEE908B3
                                                                                                  SHA-256:A29480DF6D93ED6C7F0270AEC505CFEE40C349D6455FEBBC83776A4803A2E45C
                                                                                                  SHA-512:A4E1539257536889B9365C2FC5FFEFAB6A7D59022CBF45A72BEF5ADFF0D8395C025B304D2F8E97DB5A6A30C7187388335D3EC512D88325125A1FB7188E0CB243
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................X...O.... ..0...............0(...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):110128
                                                                                                  Entropy (8bit):5.511597837451873
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:FPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/i7HxR:FWw0SUUKBM8aOUiiGw7qa9tK/iP
                                                                                                  MD5:146213EC7725102C18D84FC0EDC98195
                                                                                                  SHA1:ACF2FF3B1149647A7461DAAD5425792C2606DDAC
                                                                                                  SHA-256:9699401EA7DCFD8CB75C62D7F91E96711E7A984D971EBD5E64106D47249C39BF
                                                                                                  SHA-512:ACCCA66B2245B9A421B54B7C40992BEC79125F498ED50693C4B099AB69A1224B6BECB71D682781F62CE190C9D78F9AC582B2C2E4528B33FA07C114827712D221
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................M.....@.................................f...O.......................0(.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17968
                                                                                                  Entropy (8bit):6.672325153709117
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Eh06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBKM:Ey9eEpYinAMxCAn
                                                                                                  MD5:D6703D48950B4DCD7CEDACD676B7A714
                                                                                                  SHA1:2A75183B9680A4DE01356D9A02D869F094AE84BE
                                                                                                  SHA-256:A5A8DE384BEAF0C1C4C6BBF045BCA06F584E079D0A0C33D153CA397722D68A4F
                                                                                                  SHA-512:C87151EF8913A36E359C19A31910EC22D31EF298C93B3E0B02F47AAC7930126CB62D8727DEC96DF9411E534D90650EEA212AEFC67E889E165EAFDFF420784F1E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................c....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19504
                                                                                                  Entropy (8bit):6.524061004252665
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:wyPa16oAL4D+wW9IWmDIW4IWYDcNyb8E9VF6IYinAM+oCFbZ:wWs6oqDjADKeD8EpYinAMxC/
                                                                                                  MD5:6A3B8D090D8206E941214FD379C1AE16
                                                                                                  SHA1:39A5FC15EAD808C8B9687B80927BD2E375E14E57
                                                                                                  SHA-256:90C837538F0AC5C5C725AD4F55F865756ACA80AE56CDC6BB47EBC97B2487AAB4
                                                                                                  SHA-512:DCB1639662096D7A152DEC9C6DED5A77FAEA1AA144186EE7CC8F7CF7FEC0E430656C021F38FE13B3634AE3EFCC16B6606045357B0737C2254CC44F71004EC835
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ....................................@..................................2..O....@...............$..0(...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):42544
                                                                                                  Entropy (8bit):6.380743282886218
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:f9CYW62Pirf9Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3Upoztj+rNyb8E9VF6IYinP:f9Nf94GX7nwOa5VS2ozd+nEpYinAMxCG
                                                                                                  MD5:CA3B7F3359FE8F98AD1DC508A850E4A5
                                                                                                  SHA1:512BFB4FD468A46C21BF21E22B8974FFC5F4229F
                                                                                                  SHA-256:7D3CEC8073F1FCF61271C4EEEC7AFC9D270DF47EDC837BADBAAAF8EBC88E182F
                                                                                                  SHA-512:B33E0CB83F2F5AD79A54BC3C4AF5D3C193555763688425369853B6BA30C280F2976A956E6C69C6B49DE25E693EF5A8F891E8E5A336AEC3092218D6800C30DF66
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s1.f.........."...0..r..........&.... ........@.. .............................. .....`....................................O....................~..0(........................................................... ............... ..H............text...,p... ...r.................. ..`.rsrc................t..............@..@.reloc...............|..............@..B........................H........"..............\4..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,..(....*(....*....0..I.......s....s....%.o....%s ...%rm..pr...p...(....(!...o"...o#...($...o%.....&..*...........EE........r...po&...,'..o'......r...po(...,....o)....Yo*......*..0..........(+...o,...r...p(-...(......,...%.. .o/......i./..|s0......-...(.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1547
                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):76848
                                                                                                  Entropy (8bit):6.053721432037672
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:aPGo8P6wlXZMw68BQE8yZRU4C2tnm67HxR:anQVlfx80RU4C2hm6T
                                                                                                  MD5:5DB2F9DE182F80DE43AF4EFBE8CEA9FD
                                                                                                  SHA1:7ABBD1D7A7459DF9777239255E7B22C6B07641A3
                                                                                                  SHA-256:A41759B18B37FA49B970709320E6B556F05150569B350A893C15E120344F89B6
                                                                                                  SHA-512:A7D3D45D0C3E3B4A1A0A31D671E0F8C1FEE6B5045ABA3F6E8EF8E1B28559BC3E620649F1B8ECD6E680363B9472E773B7421087A62BC7CD5270F6BBBE684EEE24
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v............" ..0.................. ... ....... .......................`............`.................................M...O.... ..................0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........V...............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.j...........io+.....(.........o,.........,...o'......*.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):953
                                                                                                  Entropy (8bit):4.9874198404771155
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                  MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                  SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                  SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                  SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):349232
                                                                                                  Entropy (8bit):2.8911332911002288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:fuwQVu5Sb/jb5/EH8VAynnnnnnnnnnnnnnnwt5Z:fu95cZ
                                                                                                  MD5:62A635E2DD6CE67A74999F57C9B0FC99
                                                                                                  SHA1:0CBDFB178BA890236F775373D696F41DB76C88E2
                                                                                                  SHA-256:10A632808FFE84C0C0A87E42EA4312FB7EE73C83C74BDCEF2CD07CCF1CF84EAE
                                                                                                  SHA-512:6336C499EC1E9997ED00A3D8E143B0795E215C55E38731826E643BE7C81688CAFEF9C9D07F2CC2380123886BA36096936FDFD4A53E11789D3EBF6BC58D23DD4B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s1.f.........."...0......d........... ........@.. ..............................C-....`.....................................O........a...........,..0(..........P................................................ ............... ..H............text........ ...................... ..`.rsrc....a.......b..................@..@.reloc...............*..............@..B........................H........(..H"...........J..`............................................0..*.........,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.........(....,.(....+*(.........(......,..(.... ....(....+.....s.........(.... ....`(......&..(....,.....(.....(.....(...........s....(....(....%(....( ...s!........~....("....>..rA..p(....(#...($...rU..p(%...re..p.%-.&.+.o&...('...((.....*.........................>....Js)...%rq..p.o*...*..0..w.......(+...%-.&.+.(...+%-.&.+$~....%-.&~..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1547
                                                                                                  Entropy (8bit):5.008195800038022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                  MD5:029F543956E8B235A70112C77912150A
                                                                                                  SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                  SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                  SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59440
                                                                                                  Entropy (8bit):6.137270255428244
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:nXZF2u4+tuH4aPLEdUEaHLB2W0eUb16dk+CXdNTjRS8SeHiEpYinAMxCk2h:npF4OyX4d2LPibMBCzXRfSoj7HxOh
                                                                                                  MD5:29A44FCEE93634B8E9F69F82983ED7A7
                                                                                                  SHA1:1C833AF58028E9002A0C5487D27805F0DF5F3997
                                                                                                  SHA-256:E91859A43ED25E017046E9B0799BA48D13C41919248002EE9FC4E9E3D4CAD66C
                                                                                                  SHA-512:5DFB944FE0F50C4E430082A2A7EF467863D59C373A9C2E9D921551050E8607D3D5B1856D1B50DF58A60B7665C42180B1A88C46057508F38647369E5206CF8ECF
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ......L^....`.................................Q...O.......................0(..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X...}............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}D.....u....}C....{C...,........s....(....&+ms.......}F.....u....}E....{E...,........s....(....&+8s.........}H......u....}G.....{G...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1191
                                                                                                  Entropy (8bit):4.971943087661362
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                  MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                  SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                  SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                  SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23088
                                                                                                  Entropy (8bit):6.501679088753368
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:TLOGTOwM15TRwLm6orgNyb8E9VF6IYinAM+oCyy8z:TnMTR0PaYEpYinAMxCQ
                                                                                                  MD5:3314D1B614F9EF304B4DC56192E120C7
                                                                                                  SHA1:E712FBEDAC8B9D9A0840C2E09EE48D2B394AEF0A
                                                                                                  SHA-256:E6A343AABE8924FA6D13FE34EB6E9F93611F186F0484D54AA22E87C371EE8511
                                                                                                  SHA-512:94B608FEA0411D406994BFEED76B99B503A02E57A928926DC88E472AADB41FFD93862945ED1636BE9B17F2C6203D65D7FA0E42FB44DD775916C3F217F2C390BD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ...................................`..................................F..O....`..L............2..0(...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1817648
                                                                                                  Entropy (8bit):6.551384864904906
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:M9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkPv:M9Nzm31PMov
                                                                                                  MD5:BE2AECFE72DFDA1E2FF05B279FCC9579
                                                                                                  SHA1:14E9A808A1C5EDD85EF4496A2C7B66188F652845
                                                                                                  SHA-256:C6D1DAB4431EAE651CA2FDD7A7FDA08F30B40AB4AB5621049808D9A311538CB8
                                                                                                  SHA-512:B7B566E359DFCD80221BFA8ABABA8D1424A49E36F10BD583C4D04D8FCE0E3491F31FF826C566DB4717EC8707F2EC8F7A6824C779A59ADF1CDEBC81B48D542F96
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ......................................................................`.................................................P...x................!......0(...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1436208
                                                                                                  Entropy (8bit):6.781393779521666
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:bs5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEs8:GlI+vIjE7mjOuKa8Riy+gvhaIn2+0X
                                                                                                  MD5:4E386DBAFF2E2EF643DBFE6C48EE4B60
                                                                                                  SHA1:AC8C6156BFE22EC653DB9AA63008BCE115BBAB37
                                                                                                  SHA-256:4CACEE80F5EAC5B689D4449DF1D35A4DA0248A4848F454B534763F67FA3265EA
                                                                                                  SHA-512:E140DAC25343C0EF5250C7778E9356AF842F6AD21C6262538B4AF90F8ADD7E10F3FBEB3B61093047A7FC534A42BE7E2C76084E110B4D86CABD8E5FD4836D9C71
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X......................................................`.....@.........................P...t.......x....`..................0(...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):582537
                                                                                                  Entropy (8bit):7.999529358280024
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:12288:jFWPADWqxzsjJ/91r5+50BxeCMJuzjFxI5RWV7ZK5j:E8WQzz50Bxel0jzZU
                                                                                                  MD5:8C3A8B04727329AE1B41873E81F360ED
                                                                                                  SHA1:EF4647DAB3A94EF49769FC35DED7C9DD2E506A8F
                                                                                                  SHA-256:EF5E5D94D5EACDCEDE92FB99FC3439EDD44FE53E352ABE058FBB46E43066AB6D
                                                                                                  SHA-512:A47D96A9C97C6C6A5972182C5797C0B1B6A15B9DC7017CFE7798061540C5C686426473BA502B2949D0AA16547D92758E735BCF8CDA1C09A0326B14479239A6BB
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:PK..-.....!gqX..*........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....0........a......e......C..\....#U....w.R(..xp.sg..,.N....D...m..5T.ur@.....xt$..A.x......J!..9...32F3.:@1>(...{;..,R7w%..T,<..d..R.......m.....u>..F.G...+.`@|..v.VL....4..7..e.u..w[.6.;.g...Y.4.x.LZ3......~......2.cK{....h..0.]3.4i...[.z%.o..~/.....3.....1....i.L..Yy..C..=.......t../..W.R...z.2...%./..>.......~,..j...|.i...95.A.O.. .p.P.YD.(.Z...:5kh]....:z..J.q...rO..I.l..d.?f+7..E...Eu..o..w......l..&.)..I.K....%8.f...)F_u.8.d...U....K,@..}..PD!..M1.Xm.G...:...?i!A.R....rE....suo.....{sC..+.a.......d..4.qf.3%.v64.....P...I..O.7...8..h..........Z..N...+.I.t..^p.......B.p..@.".D.+..#7..lr.$...NX.n.........g...F..e.L;..NIE%.......`.....1...K.H_.Xm....=_IO.b..m....2.u...ho ........:Fs-{......v..'...0LgGvIi_...%..[i.8....r..<.L.4...=.@...kS"NK.R@"X...+..9..Z...".....@..8|<.z...N..../j.Ns={.......xd.G..#F8.ei . .e...s.g.....fW..y....U..#.d.........z..i..D.....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52272
                                                                                                  Entropy (8bit):5.836724024105667
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ExCQ5h7KT77yxeqGLQOFfxicft9w56PzePEpYinAMxC6:ICQ5hGP7T3kSBft9w56P6o7Hxd
                                                                                                  MD5:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                  SHA1:0613CAB68FFB3903A18ED5F4967D52B4815D2499
                                                                                                  SHA-256:9FBC99E85F5FA709D0D21854D4FE1FD420C7DEC8EC1F7105BE74EEB282EFFC8C
                                                                                                  SHA-512:D0A27917F420968355AF04D572D597F83D8011A86E9C32546C0A7BE493556AE0618894DDA04CADC935A16264D7685823425D1E57F1A0873F0119A74664F88956
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._..e.........."...0.............6.... ........@.. ..............................Q.....`....................................O.......x...............0(........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B........................H.......\M..Ph...........................................................0..Y........o.......+C......o......r...p.o....t%...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t%...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):535
                                                                                                  Entropy (8bit):5.076084597400077
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                  MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                  SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                  SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                  SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12
                                                                                                  Entropy (8bit):3.584962500721156
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:WhXTLd:WBTp
                                                                                                  MD5:B1DE0EF19266A86B8F7A2BCD03ECD23B
                                                                                                  SHA1:AB91C344BFECEF0CDB73119D4C5C72BAA8CD21E7
                                                                                                  SHA-256:50578EB887B529FB77AFAA4F3A888ECA57E2D640F4789BBEE470F1EFF04DEB7F
                                                                                                  SHA-512:656C69FF2C62F2704AC409AA3B04CB78B9767FE908BD0BE4C6977A469B68D7C5F83B786EE915BECF5244E70892A48A92B9D0CA9A767EA329B63A6EAD98F9F274
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:version=26.8

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):96816
                                                                                                  Entropy (8bit):6.180127833270033
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:ZJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxw1:ZQUm2H5KTfOLgxFJjE50vksVUfPvCY
                                                                                                  MD5:F8FE512BC57CBF44998221FD3C5944F4
                                                                                                  SHA1:7AAC2422B394A66FDAFA69B63CFF174ACCA1C867
                                                                                                  SHA-256:5D8527636659FAFA79AEB46A6C235C9C302EBEDF08196700C38C6592A404F71F
                                                                                                  SHA-512:AB5BCE24D24F441438A7DFD3E525511DFA2A865EC93BC39F25B5DD46E99EECEC8D2A0FB181BCBBD99D71F366FB00A47751B41A5926AA1031ACE905E453982E65
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):186416
                                                                                                  Entropy (8bit):5.93420260026271
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:+kfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFeJ:o+c7b1W4R6joxfQ8Q
                                                                                                  MD5:A22369218A10056E810C621DB7F390CF
                                                                                                  SHA1:17B681E178D96185987EFBF578DFD340A5FBF356
                                                                                                  SHA-256:987534702FC690CFB0C8B21691C91FF42268FD21C27925D93F0F788FBE03EE80
                                                                                                  SHA-512:6D49C50DF7599799902C7544C6B60300B8C2736719C408E828306ED7839EAC63AD5FC003E5FCA0F25623FBBED7244E0BE4F5EC2D7C6C529C53944603088B61E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ....................................@.................................,...O.......................0(........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):331824
                                                                                                  Entropy (8bit):6.169000089371824
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:QBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNT6:QDMUWITZznu85k8Wdn8KmCjIFi3VvG
                                                                                                  MD5:DDA5C3CE3FDBDD8A7EE32FD4C52E1A7A
                                                                                                  SHA1:8C01C9943BDBA54ED58FA308408AB5961647FF03
                                                                                                  SHA-256:42DBAE4DC463C840A39C9DC5A0DB218C565013EAF08CE2340DF78E1F83A3F0CC
                                                                                                  SHA-512:4C10E61D86F3822FFEFFDA55B0A0C6063C1AEDB9AF200A5747CA4F84754C396D88ECDCF25F54834EDCCDF303AFDAF6FF25116445C381AB77190A78AE3C286136
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@.......i....@.....................................O.......................0(... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):710192
                                                                                                  Entropy (8bit):5.960836949197253
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:0Bja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUG:0Bjk38WuBcAbwoA/BkjSHXP36RMGj
                                                                                                  MD5:9B18B6E518E2088BC98D77C3ED163319
                                                                                                  SHA1:4F6C785597BBAB2BCAFE0527E99F2271D334B628
                                                                                                  SHA-256:ABBD5647F1F025E7D0B1148E909B3CE9D9CFEA3B737B156889C0EE33F4C42C92
                                                                                                  SHA-512:A2EA7FD06834A047AE64CDFA762CD55A8BC486912933E254EA565E1294C75CFA24DB66990C87881B05156F5549FC7E695E2439E736B7435EF8FABE7B36A5EF51
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55856
                                                                                                  Entropy (8bit):6.238978848951217
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:hREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpBEpYinAMxCWLg:hR8+5k15z0WBZEtgwJq7Hx3U
                                                                                                  MD5:DFFF197E97490BB88ACF7EBB14870A4C
                                                                                                  SHA1:F355204DCB7F9045A91F3C6E20AB9D54C42A1B6C
                                                                                                  SHA-256:65AA35A36E77421CAAE591068E7C3AD23E1DFE3D51D5FBF39F8F308B4F19970E
                                                                                                  SHA-512:6F450AE14BC9EE67D99E894CD1F256F7D6885D03C8BEC8AD449F26B0D2FA64036763432BBF69D5887C7053E7BF5B2EFC4030C584731054B5FF4F6EB335C16C15
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......J>....`.................................P...O.......H...............0(........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):171520
                                                                                                  Entropy (8bit):5.638603609887119
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:mDmFGFDi7DBhxBFBhD9J79tDJNFUK2+6Kt1n4/GVi48CGtkfqLskm3BDaEQysVia:mVKOGV3PDaEQVVi2enxmH8ETz6b2A+
                                                                                                  MD5:E8458B60D4F251DE071B765287C5661E
                                                                                                  SHA1:B4A4D91483F658B79204EC4BE2C2012EFEFD5A63
                                                                                                  SHA-256:52C29826C96E35373F05FEFBD0F92AC9EC377CD65E8F58A945F3A86B41C3DDC6
                                                                                                  SHA-512:57B3B9CD3A47A6543E0E81A4606E7A90E4A459FE827C01EC6A21D1A64503FE6267079FA89E3120519079A1E9A0EB925F3B794D9B39F03D7EBA524393DC564BEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.X.........." ..0................. ........... ..............................~.....@.....................................O...................................L................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........-.............................................................~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....-.~....,..*.......s.......(...+~....*.~....*.......*...0..@.......s.......}......}......}......}..........+s.....(....&~....o....*.0...........u....%{.....%{.....%{.....{.....(.....Ps........o....o....tN...o........o....o........-.r...p+...o........o....r...p(........(......o......(....(....(......o........,...o...........(...+..~....o....*

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):753
                                                                                                  Entropy (8bit):4.853078320826549
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                  MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                  SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                  SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                  SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7466
                                                                                                  Entropy (8bit):5.1606801095705865
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                  MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                  SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                  SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                  SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):107520
                                                                                                  Entropy (8bit):5.61222820248956
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:+Tk1M9FgUVRP4ZCebOnhAKmMAhyAc00dX62Cbkmcg3vtTqlsobxF:p6gUXPe0nCKmMAt0dK2CbkKvtTqxF
                                                                                                  MD5:28D920237F64F246331725C1B2A29D1B
                                                                                                  SHA1:6CBBAEAB2AAF910F7397771C4E2B5BA7D5719C9F
                                                                                                  SHA-256:79F6FADF2E77652D0D7FCFE3D82E0F2382DC373DB0F2A1D7499D1EEC0BA514AA
                                                                                                  SHA-512:D89DC5C0DA0962B43FBBAE57D373C543C1023BFDBA59721E9DE22BE6225C6207742C6E80FB737CEBC1753C4AEC53218A04187F9FF2C78FB5F0C71D7BBFC65F32
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\o^.........."...0.................. ........@.. ....................................`.................................h...O.......,...........................0................................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H...........4...............p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~......9...s....%.....s.......o......o.....*...0..O........(...........~....r...po...........,..rG..ps ...z.rO..p.....(!....b.....o"....*..0...........~....r...po#..........,%.~....r...po...........,.rG..ps ...z..r

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2050
                                                                                                  Entropy (8bit):5.046100598911167
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3frfdbK52nKS4YHJyILsJ+J4YHKJyIv47O7Rguo3XfsnMhmMx:vrf9K5kKS4Ypy6sJ+J4YqJy3qo/sMXx
                                                                                                  MD5:7FF0AC77806AED9588B143CD0FAB552B
                                                                                                  SHA1:184B62F2956B95FFE3DC98EBB31D7F45DBCA83FD
                                                                                                  SHA-256:730D85D5EF4F0939154278949C126A444ED859E7718BB175CA3153CA6ED9D142
                                                                                                  SHA-512:1856BDA8CC3D4161110CD75A7BE4939193ED408A95F9C41E22F4CC9F85B1294584F95796BCE207DD65D606FFB57760B3D2E1681EFBBB7759A19A9F70FB7EDAC8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. <add key="PubnubMessaging.LogLevel" value="0" /><add key="PubnubMessaging.PubnubErrorFilterLevel" value="3" /><add key="PubnubMessaging.LogMessageLengthLimit" value="0" /></appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="Syste

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):200704
                                                                                                  Entropy (8bit):5.683688089372797
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
                                                                                                  MD5:C8164876B6F66616D68387443621510C
                                                                                                  SHA1:7A9DF9C25D49690B6A3C451607D311A866B131F4
                                                                                                  SHA-256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
                                                                                                  SHA-512:44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):475136
                                                                                                  Entropy (8bit):6.032338173466497
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:g+Idc1yb868v7OgHL1Rimqj9mWTEFxLL3Y1zIalvBFj7eP9yBherOyK:gTc139iUL1RimqdgFNYddBgyH
                                                                                                  MD5:83222120C8095B8623FE827FB70FAF6B
                                                                                                  SHA1:9294136B07C36FAB5523EF345FE05F03EA516B15
                                                                                                  SHA-256:EFF79DE319CA8941A2E62FB573230D82B79B80958E5A26AB1A4E87193EB13503
                                                                                                  SHA-512:3077E4EA7EBFD4D25B60B9727FBAB183827AAD5BA914E8CD3D9557FA3913FD82EFE2CD20B1A193D8C7E1B81EE44F04DADFCB8F18507977C78DD5C8B071F8ADDB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3............" ..0..6..........vT... ...`....... ...............................E....@................................."T..O....`..d...........................TS..8............................................ ............... ..H............text...L5... ...6.................. ..`.rsrc...d....`.......8..............@..@.reloc...............>..............@..B................VT......H........ ..D2...................R........................................(....*..(....*..{....*"..}....*..(&...*:.(&.....}....*"..('...*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{*...*>..}*.....(....*..{+...*>..}+.....(....*..{%...*"..}%...*..0...........{&......(....-..*..(....*6..s....}&...*.0...........{'......(....-..*..(....*6..s....}'...*.0...........{(......(....-..*..(....*6..s....}(...*.0...........{)......(....-.

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\PubNub-Messaging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):171520
                                                                                                  Entropy (8bit):5.638603609887119
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:mDmFGFDi7DBhxBFBhD9J79tDJNFUK2+6Kt1n4/GVi48CGtkfqLskm3BDaEQysVia:mVKOGV3PDaEQVVi2enxmH8ETz6b2A+
                                                                                                  MD5:E8458B60D4F251DE071B765287C5661E
                                                                                                  SHA1:B4A4D91483F658B79204EC4BE2C2012EFEFD5A63
                                                                                                  SHA-256:52C29826C96E35373F05FEFBD0F92AC9EC377CD65E8F58A945F3A86B41C3DDC6
                                                                                                  SHA-512:57B3B9CD3A47A6543E0E81A4606E7A90E4A459FE827C01EC6A21D1A64503FE6267079FA89E3120519079A1E9A0EB925F3B794D9B39F03D7EBA524393DC564BEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.X.........." ..0................. ........... ..............................~.....@.....................................O...................................L................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........-.............................................................~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....-.~....,..*.......s.......(...+~....*.~....*.......*...0..@.......s.......}......}......}......}..........+s.....(....&~....o....*.0...........u....%{.....%{.....%{.....{.....(.....Ps........o....o....tN...o........o....o........-.r...p+...o........o....r...p(........(......o......(....(....(......o........,...o...........(...+..~....o....*

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72
                                                                                                  Entropy (8bit):4.376599786459481
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:65vWcBo2D2GR2vWcDXo2D2y:65O4Dr2OoFDX
                                                                                                  MD5:5F6D9DCBD11A228E551027184921C292
                                                                                                  SHA1:D38A874988A6C8D3C0DBD0EA9A7BA0D8483A36FC
                                                                                                  SHA-256:E4D33841FF48501B5049297C4B9DF1B7F77D62FCA63BF6546097593E32F412B3
                                                                                                  SHA-512:FBBFA791A662858682E781DAB7E9D3EFCAF8D9AEC8A37674ED47836FB1AB29D15C5B541002EAA5BE61F0FDC3B0198624EBFB5899E847ABC647674538C84D8025
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:04/09/2024 08:39:46 Trace Starting..04/09/2024 08:39:57 Trace Starting..

                                                                                                  C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72
                                                                                                  Entropy (8bit):4.376599786459481
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:65vWcBo2D2GR2vWcDXo2D2y:65O4Dr2OoFDX
                                                                                                  MD5:5F6D9DCBD11A228E551027184921C292
                                                                                                  SHA1:D38A874988A6C8D3C0DBD0EA9A7BA0D8483A36FC
                                                                                                  SHA-256:E4D33841FF48501B5049297C4B9DF1B7F77D62FCA63BF6546097593E32F412B3
                                                                                                  SHA-512:FBBFA791A662858682E781DAB7E9D3EFCAF8D9AEC8A37674ED47836FB1AB29D15C5B541002EAA5BE61F0FDC3B0198624EBFB5899E847ABC647674538C84D8025
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:04/09/2024 08:39:46 Trace Starting..04/09/2024 08:39:57 Trace Starting..

                                                                                                  C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3910992
                                                                                                  Entropy (8bit):7.999062677756715
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:98304:wtc/iNuKEElj7Ssx6zXKJr9aEpaDwvVvtUD+yzOrf+AGUniav4Xbb+:wq+LE4dxmoMWAwvNtmOBGPXP+
                                                                                                  MD5:93B4FC0135DEBA59A7D1A59468FE2794
                                                                                                  SHA1:8604571FE2CC0E1B170A8C8E195F8625E804347A
                                                                                                  SHA-256:C4B75C7B1491F67ED2FCAFFC23FFA9A7D250AEDEC84B94285D6AD620220B0011
                                                                                                  SHA-512:7B34A5D70661A4A2F26AFEC0D7197739A9CCB47780E72CB76C3C0AB649BB05FDC71D6AB79F0D4F8E2FDFFFF3157129A113A449F21C11F33EFC4F8239521524A3
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.hU0.;U0.;U0.;:F#;V0.;:F";]0.;:F.;T0.;:F.;T0.;RichU0.;................PE..L....O.e.........."......*...0;..N..W6.......@....@.................................Y.<...@.............................................xH...........\;.HQ...........................................................................................text...5(.......*.................. ..`.itext...N...@...........................rdata..............................@..@.data.....:.......:..2..............@....rsrc...xH.......J....;.............@..@.reloc...............V;.............@..B.custom..............Z;................@................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Algol 68 source, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):157873
                                                                                                  Entropy (8bit):4.753497932507659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:ZHXt/BWDLm8arfT4h6+2j+S64ioX+g15titNI6cSM:gDLmtrfT4hj2ju0X9wGSM
                                                                                                  MD5:AB3D7C0401590BBDAF4B3C84592D24D6
                                                                                                  SHA1:756F86B49CA2035638F77BBEB60CFE6A827B553E
                                                                                                  SHA-256:4428A8B3F1A63312918FF5F8E1D5EE1F6EEBA9D73A336721338D494D2B6E5F6C
                                                                                                  SHA-512:24AAC8D02347EF3E226531CA15B71714CB53546C7AA1B4D961A72E097C3528AE2590B00ECBAA7E80815E99FAFB6919D234E957DFCD08467CD753B24C004B6124
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:<pre>Acknowledgments....This Splashtop software incorporates materials from third parties, the use of which is hereby acknowledged.....================================================================....AES....Copyright (c) 1998-2010, Brian Gladman, Worcester, UK. All rights reserved.....The redistribution and use of this software (with or without changes)..is allowed without the payment of fees or royalties provided that:.... source code distributions include the above copyright notice, this.. list of conditions and the following disclaimer;.... binary distributions include the above copyright notice, this list.. of conditions and the following disclaimer in their documentation.....This software is provided 'as is' with no explicit or implied warranties..in respect of its operation, including, but not limited to, correctness..and fitness for purpose.....================================================================....CELT....Copyright 2001-2009 Jean-Marc Valin, Timothy B. Terri

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):310280
                                                                                                  Entropy (8bit):6.406682858396138
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:B2ewUPD+fCEWepqJ1u45FC9xrIaPXiyVfl/7RohyyP16+Dfj8d3:NRPD+KLepIu4qnrIBy/7RoPfO
                                                                                                  MD5:FB1A6F0CB84ACB237FF0E42E5CF876A6
                                                                                                  SHA1:6CDEBFA5ABBF7BA48179DFF13A1343F3C4D9348F
                                                                                                  SHA-256:DA5E12D077875B4F93210B10689F28B6EF33480E3BD2362E80F11EDFF8C9966D
                                                                                                  SHA-512:2602908AB2FAF07C1957DAD00960F6432D08BDD7327DB96D1338C87B1E18CB025B381378BA4BC800F558D26D76922E5882481A99B17575D3D48208C289EE3B8D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........PC..C..C......H.............Q....R....I...........F..C../..W...B..W.[.B..C.3.B..W...B..RichC..........................PE..d.....0e.........."....$............H..........@.....................................u....`..................................................F..<.......H.......H'.......(..........@...p...............................@............................................text............................... ..`.rdata...@.......B..................@..@.data....+...`.......F..............@....pdata..H'.......(...Z..............@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):249864
                                                                                                  Entropy (8bit):6.627715385431378
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:gbNEPN9Db8oxccZd8lZOWb1yBGAOnpe6nbXcw:gc/8oxc5yBGVpJbXcw
                                                                                                  MD5:151AAE6C0F0E40AB4138AF953768AB37
                                                                                                  SHA1:18F55A0707EE7140776D7857D0AF56D471289960
                                                                                                  SHA-256:F253CE8A8C4CDC4FD7A93A04515B208D461FF6E4076F64431E7EC7E9E5E08923
                                                                                                  SHA-512:40FFF8741C8AFB0EF2E6F8F69755F8A2E1F6422943341BBE680EEEFE939731F39E59D1C608B7C23AA649C3F2D93E6104E6B420A755F551F555504E1028B91C68
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.B.>},.>},.>},.../.3},...)..},...(.(},...(./},.../.+},...).q},...-.;},.>}-.]},.*.%.?},.*..?},.>}..?},.*...?},.Rich>},.........................PE..L...+.0e...............$.....2....................@.......................................@................................. p..<.......H................(....... ...H..p........................... H..@...............h............................text............................... ..`.rdata..J...........................@..@.data...p............n..............@....rsrc...H...........................@..@.reloc... ......."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40160
                                                                                                  Entropy (8bit):6.316240044981803
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3z+6yz3JqnYCblcp6wOmMQC4cT3AZ21w6LuOBjEwXxyvJ3GB1C2GCTaZum8e:3ByY12kwOm8s2diSXCIB1yC2HT
                                                                                                  MD5:1033D6EFB14B7C8308A261E7151A8FDD
                                                                                                  SHA1:C331C67E93DA33EAAAAA0A4033855F185A79DE99
                                                                                                  SHA-256:6A14EFEE1EAD8592B0E5199DB4E7256462F135D6DC10A803D98D03CFC4F1E678
                                                                                                  SHA-512:083C365FD00BDED1637CBA2DDCE2FC3D93A8C60122F01CCD675A13EFF4C7663EE0FCE1B3316755FC971B3A3E6D242E29236180508D03C803950E2159B374767B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........wU.............f.......f...............f.......f.......f.......f.......f.......f......Rich............................PE..d...7.#R.........."......`..........t..........................................................................................................(.......P....`..x...............4....B...............................................@...............................text....".......$.................. ..h.rdata.......@.......(..............@..H.data... ....P.......4..............@....pdata..x....`.......8..............@..HPAGE....f0...p...2...<.............. ..`INIT.................n.............. ....rsrc...P............x..............@..B.reloc...............~..............@..B........................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):224
                                                                                                  Entropy (8bit):4.68750285687923
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dCiI4FDIIlfILQIIbdELV0Lr+FDIIGKhaL3C:kidCiRxt2QjdRCxeKcL3C
                                                                                                  MD5:EBC2A6216B737E813732ECA1BB1F2AF2
                                                                                                  SHA1:6E63AB58C2055A3F276C1CD36FA406E37C099099
                                                                                                  SHA-256:275C9771ED3AC2ABE0989A114804ADD0CCED09F8A1BFF1633C4F79929921713B
                                                                                                  SHA-512:248CD17E4836B429DF0923E8C04FD3F8ECAB7CC8BFF6761F06AAED420111FF5DBADCC974193701DEBF63655CD79E8E0D0B6C7599760B13ABA19B5C0E178BF7EC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd.exe /u stgamepad.inf >> inst.log..utils\devcon.exe install stgamepad.inf root\stgamepad >> inst.log..utils\enum.exe -p 1000 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):232
                                                                                                  Entropy (8bit):4.776744518403625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dRLPI4FDIIlBILQIIbdRL6V0Lr+FDIItGKhaL3C:kiddRxr2QjdHCxwKcL3C
                                                                                                  MD5:4AD78E888894B3F89711D75D526E2D9A
                                                                                                  SHA1:A01DD7B5F20052AB27B721127DAB01A34666D4D9
                                                                                                  SHA-256:8B82E0E205711B8A22939AB86BF955DB938D2A733F57E48404DD118B5DDB9AE5
                                                                                                  SHA-512:CD6C972070593A6FE09778BC043C84CABE61E96FC3EA1B529D993540678AE0E99A641BFFAB87B3AE954977F0C0A9C639185889421225C185615C4EC34A8699F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd64.exe /u stgamepad.inf >> inst.log..utils\devcon64.exe install stgamepad.inf root\stgamepad >> inst.log..utils\enum64.exe -p 1000 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8955
                                                                                                  Entropy (8bit):7.156854915296666
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3F37o7MECwCNnYe+PjPGr9ZCApkT1rrZgjlerpLF+vc1rbrRnJ4aTT:3NEuwCNnYPL/p1P6jeL3JrRiaT
                                                                                                  MD5:214E5DB2F6D3FF72B6E4F3BACCD7ECB0
                                                                                                  SHA1:64CC6A8F3E79BFA0301924D4A18370CFDD8ED955
                                                                                                  SHA-256:C23C1C358705DCE49FD6D1BEB1B0482F74DFCE35FEE7AE4D0C79390385FD22F9
                                                                                                  SHA-512:E31E2455A7014937F3E9ECA05D192320CF6159CED333888C6612BE36453F72D76F1015FC1306D41F41CD5F4CB206028ECD99C0F28505D29B6E9E0F497D231D17
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0."...*.H........".0."....1.0...+......0.....+.....7.....{0..w0...+.....7........'PP.M.B.....v..130902014741Z0...+.....7.....0..e0....RA.6.6.8.6.5.4.3.B.1.2.3.6.6.1.8.8.6.3.A.1.F.A.6.3.F.A.2.B.1.4.F.A.8.A.E.5.4.F.A...1..k0>..+.....7...100....F.i.l.e........s.t.g.a.m.e.p.a.d...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........heC.#f..:..?..O..T.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RC.C.2.3.0.0.C.3.E.9.D.5.2.9.0.A.2.A.4.0.6.2.7.3.A.0.F.8.3.5.8.1.D.3.7.F.F.0.1.8...1..s0>..+.....7...100....F.i.l.e........s.t.g.a.m.e.p.a.d...s.y.s...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1598
                                                                                                  Entropy (8bit):5.348428467214068
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:BoJAo10StKRqv8rI3OB/7wBZBZhvC3R7YxGcSF+125dLH/kvGPGo:BoJbkEvReNErZZcQ125CvQR
                                                                                                  MD5:5AE5F4B07FABDB969DDA6425E54C4DDD
                                                                                                  SHA1:A6686543B1236618863A1FA63FA2B14FA8AE54FA
                                                                                                  SHA-256:489CFA94B8FAEA97E0CF73714A65890418247BF34023DC4FDEBB03EF233B12F9
                                                                                                  SHA-512:C8751CF986E7A2800924D9707FB40AA95F5EE2431E16D5EEDC583FEA1F5351C95BF3FD90AC0EBD81AFC7262FBFA6C452BF1CA1B908E7360515970F146D0D6E50
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$CHICAGO$"..Class=System..ClassGuid={4D36E97D-E325-11CE-BFC1-08002BE10318}..Provider=%splashtop%..DriverVer=05/21/2013,1.0.0.0..CatalogFile=stgamepad.cat....[SourceDisksFiles]..stgamepad.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,\64bits....[DestinationDirs]..DefaultDestDir = 12....[Manufacturer]..%splashtop% = Vendor, NTx86, NTx86.6.1, NTAMD64, NTAMD64.6.1....[Vendor.NTx86]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTAMD64]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTx86.6.1]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[Vendor.NTAMD64.6.1]..%splashtop.DeviceDesc% = StGamepad_Install, root\stgamepad....[StGamepad_Install.NT]..CopyFiles = StGamepad_Install.NT.Copy....[StGamepad_Install.NT.hw]..AddReg = StGamepad_Device_AddReg....[StGamepad_Install.NT.Copy]..stgamepad.sys....[StGamepad_Device_AddReg]....[StGamepad_Install.NT.Service

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33504
                                                                                                  Entropy (8bit):6.4990196288743425
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Uwyk2eCK3PRiZ1bcvrlEeT0OEM859sKkgTvEakiX5vFmXhBcfoaM8l1l3nzWPDP8:UupCJeT5EgKkgTMa3VFMmAalaPzumy
                                                                                                  MD5:4C3233F0B9A5BC7B58B464C9E1E86D52
                                                                                                  SHA1:FCCE254ED5DF8DE6D21623A6E53FA2AEEE030365
                                                                                                  SHA-256:832328B8DD98D51A9CE29C3953E85AFB036964299B93B9FB929023F15C63AD9A
                                                                                                  SHA-512:884A22B0CE16B91B1A04D6B5E99678CC584484FF5BE3D92ADDB27F0E9D58BFF57A9716C843789F9BD59EC79A55EF342DFD2A0EF39C6E7776CD4FC0211EE8DFCF
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........i...i...i.......i.....i...h...i.......i.....i.......i.......i.Rich..i.........................PE..L...5.#R.................N..................0.......................................;..........................................<.......P............f.............. 1...............................................0...............................text...(........................... ..h.rdata..V....0......."..............@..H.data...4....@.......*..............@...PAGE.....%...P...&...,.............. ..`INIT....8............R.............. ....rsrc...P............\..............@..B.reloc...............b..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):154
                                                                                                  Entropy (8bit):4.715757968072225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:jTDVBF+jVy9kCCWo7EIbd/KiIKTAxsHs2yo7EIl2YILzDoC:/AjsC3IIbdCiI4FDIIlfILQC
                                                                                                  MD5:5D33C035F7B22B463DBD01BC0D31C9E9
                                                                                                  SHA1:5345461EF02D330178F047FFBD40C5F4B142A416
                                                                                                  SHA-256:45C7D88A3D4643220137D23DBE0EB5CE45DFB6AD16EDC1D6EE4CA8FD1C41AF49
                                                                                                  SHA-512:88E339E01417D6EFAA8271E6F3A9D077711508A3EE4D0CF3A95E6607C0282D201633113EACB8A142189F54476AD7B501EAEEA5AC2D9297A06B1A7A55D73B8940
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\enum.exe -u 0 >> inst.log..utils\devcon.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd.exe /u stgamepad.inf >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):160
                                                                                                  Entropy (8bit):4.807126999960993
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:jTDVBF+jVy9dJFtCWo7EIbdRLX/IKTAxsHs2yo7EIl3xILzDoC:/AjsZW3IIbdRLPI4FDIIlBILQC
                                                                                                  MD5:D0E7FCE8A8281FC10CB9548299254079
                                                                                                  SHA1:112A4EA65D2CC4A1C57EB6967AC058C8EDE341DE
                                                                                                  SHA-256:11F757D09B095A89D52A990149379618551D88E92E1C9BEEFED243A083487260
                                                                                                  SHA-512:8132F0DFE0071D3CA3CC5D4CD6ED2634E61314BF6BB84AF5B5F97261E3E26601F1C6AA5C8ABBDA596639CAF4C0E2AFC3A2DE46BB92C199894DD5CFC2DF519CFF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\enum64.exe -u 0 >> inst.log..utils\devcon64.exe /r remove root\stgamepad >> inst.log..utils\DIFxCmd64.exe /u stgamepad.inf >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11776
                                                                                                  Entropy (8bit):5.289815206775557
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Qexcism3zhYFH1u0BFhdzQV3TdfPq12pru6JEkb8oHA1Ib/meUmV:QeKduuf1+DEgprhh82Tirm
                                                                                                  MD5:5F1E3F3B071AB0D51AB45060D156AF17
                                                                                                  SHA1:2FFCC9CC689C7C3DA18DF015C4BCC880F185C800
                                                                                                  SHA-256:B628E895BFC38227DB258DB91959C6D55367877669944DA022A89469101D8BCF
                                                                                                  SHA-512:3EAAB54CD58350BADBE0F32B78BA7EA8EA50072AA159A3A36AD730116247D225C164CFCAFFE920C34D9287E55E68D933A92D4F7E7D3CEF9E8E3F185DAB629BC7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.9...W...W...W.......W.......W.......W......W...V.O.W.....].W.?{)...W.......W.......W.Rich..W.........PE..L...5.#R............................p........0....@..........................`......F.....@...... ..........................,%..P....@..8....................P..........................................@............................................text............................... ..`.data........0......................@....rsrc...8....@......."..............@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11776
                                                                                                  Entropy (8bit):4.886509604340361
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:reQH6MzhfmNHuhv9LIFJxGNIiTwnPXIXBY+CzASxvh1b7sAmIb/IeUmV:rezev9cGNIiTGOY9Dxvh1xUrm
                                                                                                  MD5:815848A1B7AA76DE38315A7C796165DE
                                                                                                  SHA1:131016320240F5760853BB0AE8ED34CE8865C4B5
                                                                                                  SHA-256:99FF169E6114BA53DDC6BFCDB08CF73CB1104E69EEDC2A13F39605A96CAA5367
                                                                                                  SHA-512:3A9453528FC5335AFF02717EE7271EBE253CF986FE71B7CE4BE4B060BE7EF625EA33877F98B2DEA54432A2F7625314A5B3DCF57518209E818EC03589257E69F6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Kf................U.......C.0.....D.......S.....y...........n...y.........I.....(.........T.......Q.....Rich............PE..d...7.#R..........".................H.........@..............................p......|.....@.......... ......................................`$..P....P..8....@...............`..........................................................X............................text............................... ..`.data........0......................@....pdata.......@.......$..............@..@.rsrc...8....P.......&..............@..@.reloc..h....`.......,..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1416
                                                                                                  Entropy (8bit):5.221234341229966
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VrY6t5UbhKRvV2ktXrTsIeZvEMtXrGrJKhrlXgpAY1u5lSuWJmiDUNLk32pNaf1E:5Y6qhKT2mvsIeZvEuarJKhpXo1moJmiI
                                                                                                  MD5:BECB66962164A387453E351769E665A4
                                                                                                  SHA1:D5651F9CE02E1D48E85A33DCAFB906F3DC575365
                                                                                                  SHA-256:294AE63315DCFCBA4F8BB30BC4098E6BF39281244BC215FE9EB8EA3B778CEC48
                                                                                                  SHA-512:03523212E1827635EB2573ABE2B1A3D66BA529990917B739AF6B2C6727223D2E99E4A353B21F2871FFBCA44D22623409EA1451CF0A0ADBED9C0E8DBB6E55C6CF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x86\my_setup.dll....REM..REM If OSBase/KairOS driver is previously installed, stop the installation...REM..sc query ddmgr..IF %ERRORLEVEL% EQU 0 (.. echo OSBase iDisplay driver detected! Try uninstall OSbase/KairOS iDisplay software... goto exit..)....REM..REM If older driver (lci_proxykmd) is previously installed, stop the installation...REM..sc query lci_proxykmd..IF %ERRORLEVEL% EQU 0 (.. echo Older display driver detected! Uninstall it first.. %DEVCMD% do_uninstall_lci_proxykmd .. timeout /t 1 /nobreak.. sc.exe delete lci_proxykmd....:wait_for_delete.. sc query lci_proxykmd.. if %ERRORLEVEL% EQU 0 (.. timeout /t 1 /nobreak.. goto wait_for_delete.. )..... timeout /t 1 /nobreak.... del %

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1414
                                                                                                  Entropy (8bit):5.220204645552163
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:VrY6t5UbhKdvV2ktXrTsIeZvEMtXrGrJKhrlXgpAY1u5lSuWJmiDUNLkQ2pNaf1E:5Y6qhK32mvsIeZvEuarJKhpXo1moJmiX
                                                                                                  MD5:B80450985E33B188398EF5475FE3A4BA
                                                                                                  SHA1:6699FE7C174A9A585E3559A16877B5555687F6F0
                                                                                                  SHA-256:760BC44295820C5AF7E2D5077CE05EED8E23B3EF344D5C6C48422818DDE78D41
                                                                                                  SHA-512:BA29A71114A86E10ACE80F5B039DB68F4FE3BFD5592ECC6511D9AA0235E75ACFA188909EE0453593EBEFDB33DB46D1272C98A44350ABB24810C52FDEE817853F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x64\my_setup.dll....REM..REM If OSBase/KairOS driver is previously installed, stop the installation...REM..sc query ddmgr..IF %ERRORLEVEL% EQU 0 (.. echo OSBase iDisplay driver detected! Try uninstall OSbase/KairOS iDisplay software... goto exit..)....REM..REM If older driver (lci_proxykmd) is previously installed, stop the installation...REM..sc query lci_proxykmd..IF %ERRORLEVEL% EQU 0 (.. echo Older display driver detected! Uninstall it first.. %DEVCMD% do_uninstall_lci_proxykmd .. timeout /t 1 /nobreak.. sc.exe delete lci_proxykmd....:wait_for_delete.. sc query lci_proxykmd.. if %ERRORLEVEL% EQU 0 (.. timeout /t 1 /nobreak.. goto wait_for_delete.. )..... timeout /t 1 /nobreak.... del %

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):805
                                                                                                  Entropy (8bit):5.339948574341861
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:V8pgfeV4BZAK/1AN6gizSnOf6DE6Z9wmhKRvVLymhMm0KuKDLGuKw61IfQHyoHHO:VSIBBY6t5UbhKRvV7e6LpIJHT5C
                                                                                                  MD5:704D1CC8E0B87710278CE3EFD1C17954
                                                                                                  SHA1:EDF2D7FED5D3D88A657732B37C72E4CDEE90D12D
                                                                                                  SHA-256:FAB1408C7DE4B76FA3AF7AD4C9F25DF2063C591CDFC46445999D31B4DB712208
                                                                                                  SHA-512:6061B9BB1A4D55FD916A44C8619356DC4ED40C284F91FC2114CD5974533F762F88B4E0C49A265E96AD1E122ACFBA947D02AA3B11E43115D247FA0868661BDC3B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....reg delete "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /v "VirtualDisplay" /f....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x86\my_setup.dll....echo removing LCI PROXY WDDM Device.......%DEVCMD% do_uninstall_lci_proxykmd..%DEVCMD% do_uninstall_lci_proxywddm....timeout /t 1 /nobreak..sc.exe delete lci_proxykmd..sc.exe delete lci_proxywddm....timeout /t 2 /nobreak..del %SystemRoot%\System32\lci_proxyumd.dll..del %SystemRoot%\System32\drivers\lci_proxykmd.sys..del %SystemRoot%\System32\drivers\lci_proxywddm.sys..del %SystemRoot%\System32\drivers\UMDF\lci_iddcx.dll....:exit..ENDLOCAL

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):817
                                                                                                  Entropy (8bit):5.35613829912293
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:V8pgMyeV4BZAK/1AN6gizSnOf6DE6Z9wmhKdWiVLymhMm0KuKDLGuKw61IfQHyoO:VS3sBBY6t5UbhKdvV7e6LpIJHT5C
                                                                                                  MD5:319DCF0B017DAFA51C33A7489D123F91
                                                                                                  SHA1:60F8E32A2E7E05F2384D8B66E51F8FF1DE70AC10
                                                                                                  SHA-256:44A271D1DD10FFC85815DF277E708BE462CC5AFABC43BD0D7A9505E35A70E488
                                                                                                  SHA-512:EE6403E7069C1185F6F34A02DA2DE1FEC2F859E89523B769CF9EFDCAA2CD9E5AFA501ADC38169A86D86DA1570C789116A29C2485F87201CFD2A770EC447A55C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off..SETLOCAL..%~d0..cd %~dp0....reg delete "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /v "VirtualDisplay" /f....REM..REM detect the OS version..REM..for /f "tokens=4-7 delims=[.] " %%i in ('ver') do (if %%i==Version (set v=%%j) else (set v=%%i))..if %v% GEQ 10 (.. cd win10..) else (.. cd win7..)..set DEVCMD=rundll32 x64\my_setup.dll....echo removing LCI PROXY WDDM Device.......%DEVCMD% do_uninstall_lci_proxykmd..%DEVCMD% do_uninstall_lci_proxywddm....timeout /t 1 /nobreak..sc.exe delete lci_proxykmd..sc.exe delete lci_proxywddm....timeout /t 2 /nobreak..del %SystemRoot%\System32\lci_proxyumd.dll..del %SystemRoot%\System32\drivers\lci_proxykmd.sys..del %SystemRoot%\System32\drivers\lci_proxywddm.sys..del %SystemRoot%\System32\drivers\UMDF\lci_iddcx.dll....:exit..ENDLOCAL

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):85216
                                                                                                  Entropy (8bit):5.323561566613011
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:34rhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkApiKB:K+KY04RMmSCYmBiF4O7WTgKB
                                                                                                  MD5:CD483270630CCABBD1902C6B21FBE9D3
                                                                                                  SHA1:B33C3139DD83F108591383449D4F9136189D8F97
                                                                                                  SHA-256:49D6B913A4095A3E7B14554C91942BD5CDDDF9DCFDB076B31921592AFF1BC135
                                                                                                  SHA-512:DC92ED176DBB7CC27BE1FFF90F875B2582869465156BD70F363902524C716822FB9657AA944A6F02CB1E77271F3D24F8667F4A678F5BB5B5846AB18E455A731F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P......F.....@...... ..........................lm..........p............0.......@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):89312
                                                                                                  Entropy (8bit):5.29323585141242
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:UP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7WsK6:UePOYe4bu1epDh8RWsK6
                                                                                                  MD5:07361279885BC0B334DDF5754CDB12FE
                                                                                                  SHA1:63A7320CD6992E2509EB1D82D550B1AA5FEA6A47
                                                                                                  SHA-256:96411A783BAA574421659E73B11F111A0EEB3D9B105CA55E29FE6C0B820646F7
                                                                                                  SHA-512:D07F5DFFEAD4470CAA935F6CD250DF9CA77A2D28C0B84112D83CE9ED7AC7A01CB012773FB290612E4DE45776BB919C395533AD3AD5497A3469BFE5B43FB5D1E8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......Mz....@.......... ......................................X}..........p.......T....@.......`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10957
                                                                                                  Entropy (8bit):7.22853921730831
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:0gNqq6a1DUuvE7EwWZhYC/nnbXfH098uXqnajH/svHa:0gEy9Zh3/njXuXlTsPa
                                                                                                  MD5:62458E58313475C9A3642A392363E359
                                                                                                  SHA1:E63A3866F20E8C057933BA75D940E5FD2BF62BC6
                                                                                                  SHA-256:85620D87874F27D1AAF1743C0CA47E210C51D9AFD0C9381FC0CD8ACCA3854562
                                                                                                  SHA-512:49FB8CA58AECF97A6AB6B97DE7D367ACCB7C5BE76FBCD324AF4CE75EFE96642E8C488F273C0363250F7A5BCEA7F7055242D28FD4B1F130B68A1A5D9A078E7FAD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.*...*.H........*.0.*....1.0...`.H.e......0..=..+.....7......0..*0...+.....7......?~..S.N.j....J...181204081131Z0...+.....7.....0...0......e.Q.82....jG.8....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...i.n.f...0.... _...U...woq..2..:.V.kx........1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... _...U...woq..2..:.V.kx........0.... `...m..d..E.f|.R.o../.ziR&7.._..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... `...m..d..E.f|.R.o../.ziR&7.._..0....d}...))...3e...u...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4514
                                                                                                  Entropy (8bit):3.7887986776100973
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:9G2XN/WAXHQ+C2C4kqWDZXpbdl5Vjnijla4UAiI6fOgTiYqG585wg3Jp:9L5EDNRniWI6fyw5I
                                                                                                  MD5:1CEC22CA85E1B5A8615774FCA59A420B
                                                                                                  SHA1:049A651751EF38321A1088AF6A47C4380F9293FC
                                                                                                  SHA-256:60A018F46D17B7640FC34587667CD852A16FA8E82F957A69522637F22E5FE5CF
                                                                                                  SHA-512:0F24FE3914AEF080A0D109DF6CFAC548A880947FB85E7490F0D8FA174A606730B29DC8D2AE10525DBA4D1CA05AC9B190E4704629B86AC96867188DF4CA3168BB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .l.c.i._.i.d.d.c.x...i.n.f.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .L.C.I. .I.D.D.C.X. .D.r.i.v.e.r.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.L.C.I.%.....C.a.t.a.l.o.g.F.i.l.e.=.l.c.i._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.2./.0.4./.2.0.1.8.,.1...0...2.0.1.8...1.2.0.4.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r.s.\.u.m.d.f.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12585
                                                                                                  Entropy (8bit):7.124479508046628
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:M9yLPtUtkB7uIqhmbgE7EwWZhYCyZR/HsgKqnajVhY2c8evGd:gZO49Zh3e1MgKlxW2c8eed
                                                                                                  MD5:8E16D54F986DBE98812FD5EC04D434E8
                                                                                                  SHA1:8BF49FA8E12F801559CC2869365F0B184D7F93FE
                                                                                                  SHA-256:7C772FB24326E90D6E9C60A08495F32F7D5DEF1C52037D78CBD0436AD70549CD
                                                                                                  SHA-512:E1DA797044663AD6362641189FA78116CC4B8E611F9D33C89D6C562F981D5913920ACB12A4F7EF6C1871490563470E583910045378BDA5C7A13DB25F987E9029
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.1%..*.H........1.0.1....1.0...`.H.e......0.....+.....7......0...0...+.....7.....tW...d#O...L<":4..181204083207Z0...+.....7.....0...0....!,..8.'T......\.b.\s1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0F..+.....7...1806...F.i.l.e.......$l.c.i._.p.r.o.x.y.w.d.d.m...s.y.s...0....;~.Y&h.L..@.ds. .A..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0.... \...s .p.mI^1:.M5KEO4..?l......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... \...s .p.mI^1:.M5KEO4..?l......0.... \...s .p.mI^1:.M5KEO4..?l......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0H..+.....7...1:08...F.i.l.e.......&l.c.i._.p.r.o.x.y.u.m.d.3.2...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e.....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2715
                                                                                                  Entropy (8bit):5.41680725095282
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:qnchtOKbzLbS10bzPbSvb/mwwophwwoJOxWqrz61/zA9cjiJIjgW5FH1519HS4Bc:Pkua1YuSnEhn/A7ic4d4y
                                                                                                  MD5:0315A579F5AFE989154CB7C6A6376B05
                                                                                                  SHA1:E352FF670358CF71E0194918DFE47981E9CCBB88
                                                                                                  SHA-256:D10FA136D6AE9A15216202E4DD9F787B3A148213569E438DA3BF82B618D8001D
                                                                                                  SHA-512:C7CE8278BC5EE8F8B4738EF8BB2C0A96398B40DC65EEA1C28688E772AE0F873624311146F4F4EC8971C91DF57983D2D8CDBEC1FE98EAA7F9D15A2C159D80E0AF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:;..;..;Module Name:..;..; lci_proxywddm.inf..;..;Abstract:..; LuminonCore Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%LCI%..DriverVer=12/04/2018,1.0.2018.1204..CatalogFile=lci_proxywddm.cat....[DestinationDirs]..DefaultDestDir = 12..lci_proxywddm.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxywddm.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64]..1=%DiskId1%, lci_proxywddm.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1......;*****************************************

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53752
                                                                                                  Entropy (8bit):6.555505359489877
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:q4+LP4B5MAHFQq4OSGtGkVPKLIy0uwc0yeuUjsVbGVjp3haxZ3vOoKn:q4+LS5XYOSk1Kky0uww6s5mN3haxZI
                                                                                                  MD5:01E8BC64139D6B74467330B11331858D
                                                                                                  SHA1:B6421A1D92A791B4D4548AB84F7140F4FC4EB829
                                                                                                  SHA-256:148359A84C637D05C20A58F5038D8B2C5390F99A5A229BE8ECCBB5F85E969438
                                                                                                  SHA-512:4099E8038D65D95D3F00FD32EBA012F55AE16D0DA3828E5D689EF32E20352FDFCC278CD6F78536DC7F28FB97D07185E654FE6EEE610822EA8D9E9D5AF696DFF5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........N.9./.j./.j./.j.q.k./.j.q.k./.j.q.k./.j.r.k./.j.WQj./.j.r.k./.j./.j./.j'.7j./.j'.3j./.j'.0j./.j.r.k./.j.q.k./.j.q.k./.j.q.k./.j.q=j./.j.q.k./.jRich./.j........................PE..d....%.\.........." .....X...@......@T....................................................`.........................................P...P................................?.......... ...8...........................`................p...............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):184016
                                                                                                  Entropy (8bit):6.2322376663017
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:uSNRRE5JX6GkYj9i/hXJTqHDh3ibNrg4WhC8MFMbgGYgITUP4uvo4B:uS6Pb5KnT2dSNsC+gGx62v/
                                                                                                  MD5:4DC11547A5FC28CA8F6965FA21573481
                                                                                                  SHA1:D531B0D8D2F8D49D81A4C17FBAF3BC294845362C
                                                                                                  SHA-256:E9DB5CD21C8D709A47FC0CFB2C6CA3BB76A3ED8218BED5DC37948B3F9C7BD99D
                                                                                                  SHA-512:BD0F0A3BBC598480A9B678AA1B35728B2380BF57B195B0249936D0EAAA014F219031A563F486871099BF1C78CCC758F6B25B97CFC5296A73FC60B6CAFF9877F6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Vj..7.R.7.R.7.R.j.S.7.R.j.S.7.R.i.S.7.R.i.S.7.R.i.S.7.R.j.S.7.R.7.R.7.R.j.S.7.RMi.S.7.RMi.S.7.RMi.S.7.RHi.R.7.RMi.S.7.RRich.7.R........PE..d....%.\.........." .....r...*............................................................`.........................................`M.......M..<................(.......@...........:..8...........................@:..................X............................text...`q.......r.................. ..`.rdata...............v..............@..@.data........`.......>..............@....pdata...(.......*...J..............@..@.gfids...............t..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138960
                                                                                                  Entropy (8bit):6.622950914796068
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Pi+6wKkplcu1L3/xFxqFYOA555ZRlremv59jYqN:6+9cu1oF/AnqqN
                                                                                                  MD5:67AE7B2C36C9C70086B9D41B4515B0A8
                                                                                                  SHA1:BA735D6A338C8FDFA61C98F328B97BF3E8E48B8B
                                                                                                  SHA-256:79876F242B79269FE0FE3516F2BDB0A1922C86D820CE1DD98500B385511DAC69
                                                                                                  SHA-512:4D8320440F3472EE0E9BD489DA749A738370970DE07B0920B535642723C92DE848F4B3D7F898689C817145CE7B08F65128ABE91D816827AEB7E5E193D7027078
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0.......4....@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):122576
                                                                                                  Entropy (8bit):6.535740565012407
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:dfSVevFp3FKtVy8ka9N9UOUNFZWEw+1M4hyFi:BSYNpkUOUrgxeMlo
                                                                                                  MD5:B9B0E9B4D93B18B99ECE31A819D71D00
                                                                                                  SHA1:2BE1AD570F3CCB2E6F2E2B16D1E0002CA4EC8D9E
                                                                                                  SHA-256:0F1C64C0FA08FE45BEAC15DC675D3B956525B8F198E92E0CCAC21D2A70CE42CF
                                                                                                  SHA-512:465E389806F3B87A544AB8B0B7B49864FEEBA2EEEF4FB51628D40175573ED1BA00B26D6A2ABEBC74C31369194206ED31D32C68471DDDCF817FDD2D26E3DA7A53
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C^./.?.|.?.|.?.|jb.}.?.|.?.|d?.|jb.}.?.|jb.}.?.|jb.}.?.|.a.}x?.|.a7|.?.|.a.}.?.|Rich.?.|........PE..d....%.\.........."......N...N......,..........@................................................................................................(............@...........@......L.......8............................................................................text............................... ..h.rdata..l,..........................@..H.data........0......................@....pdata.......@......."..............@..H.gfids.......P.......2..............@..HPAGE.....R...`...T...4.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc..L...........................@..B........................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23528
                                                                                                  Entropy (8bit):6.370136009210867
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6kV9C2/s2Abnkr+YcSIVO67k5hVAi59RKzOqUIUz8JN77hhM/l:vP0bE+YHIO67kLZVj83ha/l
                                                                                                  MD5:D53AD812F1146CDDEA6A89806CC2439A
                                                                                                  SHA1:5102973DF29B7E70AD8845D3B5FA36DBEF294D56
                                                                                                  SHA-256:009DFAD5DEA03EA0C0B963EEA9CDCDB78668C8B35C19E2B92311D8703F00D6D2
                                                                                                  SHA-512:38C2BFF7125F5BFD51A5D4D49D3C68BBCF9065057686AF8CAF7C3025BAE27CDFF4928BFB37C26A6ABAA750C699B99619E874CDD5EEF79F0E4010BB9ACCE56085
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..D.|...|...|..v...~|...|..B|..v...r|..v...t|..v...~|..v...~|..v...~|..Rich.|..........PE..d....%.\.........." .....6...........1...............................................Q....@.........................................pC.......;...............`.......@.......p..0... ................................................................................text....4.......6.................. ..`.data...@....P.......:..............@....pdata.......`.......<..............@..@.reloc..Z....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):48640
                                                                                                  Entropy (8bit):6.8164297445194135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:xbWmecDs6zvVt94VbJqvhkqskgSjySwigs2K5m6Vj83h57zZ3ao:xbM6JX0Jq5kNGUsn5maI3h57zZ
                                                                                                  MD5:6A0CCBFF305B23A4BAE471025EC28D52
                                                                                                  SHA1:02519EC7FCC88969621B6DC7F1294DA4EA6EA611
                                                                                                  SHA-256:6659E90D80A2FA0CF9F6CE40E511D8763664E78820F27081935AC1BFD4723A19
                                                                                                  SHA-512:4D357E3E9B19E2C18D1D3A1E6916C542243D6FF24D783A526B9E1C1605C328CD079A77AEE38DFF19BEC66E584CFDB4DF910CF98DF668D1EB2E825E2D36F816F2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................................................A................x)'....x) ..........[......[......[......^.-....[......Rich...................PE..L....%.\...........!.....N...2.......E.......`......................................}.....@..........................p..T....q.......................~...@..........0l..8...........................hl...............`..H............................text...;L.......N.................. ..`.rdata..\....`.......R..............@..@.data................n..............@....gfids...............p..............@..@.rsrc................r..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138984
                                                                                                  Entropy (8bit):6.623789818078503
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:0i+6wKkplcu1L3/xFxqFYOA555ZRlremv59jY3v:7+9cu1oF/Anq3v
                                                                                                  MD5:4276EDDE541ED3F488FA26778BDBB0D9
                                                                                                  SHA1:16E06CA60A9F8BCA515D193DFD28B120446BC178
                                                                                                  SHA-256:617F731B8F55F1AC23E47FE3C7CFD1110F198A5A9EB207FC485F739808446808
                                                                                                  SHA-512:280D6C3A85B26B4EE57534D33F035063B1DD56BA3671B48700833E4A61BEF1805C86316888AA5D8645603CA655F4172311B20C98533058823734C276A3CEA66B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0.......|....@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):138960
                                                                                                  Entropy (8bit):6.623166316895491
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:3i+6wKkplcu1L3/xFxqFYOA555ZRlremv59jYWB:S+9cu1oF/AnqWB
                                                                                                  MD5:7CC448724952FA3B42A7B16DCBD4B50B
                                                                                                  SHA1:65CC211E57AE073EA89B188B66D3D473B403DEF5
                                                                                                  SHA-256:D90F351153CA9A51ECC24575B6A586A9A01AF24BD84F552F8305201260EE486A
                                                                                                  SHA-512:1C8F6034B4BA71C5D4508263DEDB00098C583F7EA4F39AE281E680C8DDA3583A0FE7FD00DD601E652CA0D301D29800AD13FC102038D4A836F99D44E331D3B2FD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....%.\...........!.....6..................P...............................0............@.....................................<........................@..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95464
                                                                                                  Entropy (8bit):6.7987777090492445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:nbZYULZ73iO/kwji3FWx+FJ4gwgDNSV2U5ANaudsJvdjsCIrqhZxu3hUlZNO:nHL53D/djPxaJ4gGQU5ANaudsjg9+hZk
                                                                                                  MD5:21E18A96C9A2E6F0838DA7BBD272CE21
                                                                                                  SHA1:C940F5069CE95083865D2D985682D51296B81257
                                                                                                  SHA-256:6CA7A9B8F2600181A4D47FA7090FF37E412687E7EA64BA5CAC4319277BE60C74
                                                                                                  SHA-512:1819469664C0DDE5ADFDA140313C32F9874301E103FF74E95AC684BAB71D06668299B8092564993727DF380E276B2400C1E1025D9527F637826BFCDFC9D78E66
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................8......=.=....8......Rich....................PE..L....%.\.....................*.......@............@..........................p......`.......................................4A..<....P...............4...@...`..x... ...8...........................X...@............................................text...|........................... ..h.rdata..D...........................@..H.data...............................@...PAGE.....?.......@.................. ..`INIT....r....@...................... ..b.rsrc........P.......$..............@..B.reloc..x....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20968
                                                                                                  Entropy (8bit):6.629648031240336
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:uMuUBfWPmqKebW1j2zAAHOOntqVuvTRKzOqUAY8JN77hhecs:JHqKyWMvUutVjO3hob
                                                                                                  MD5:955C309947C5CAEFFB429DBF12DC13A1
                                                                                                  SHA1:5079A801E91F9ACBE996FBCAE6D402B7E5FC72D9
                                                                                                  SHA-256:59BBC2EBBA9CD056FBA8B80FC0E5DA9540D6E50F419216A1BB2A4B3E95AFB480
                                                                                                  SHA-512:BD4BBE228378466AD50F2B734438DDBD4FE8F6C7C3B573080834321C99E748512BE8511A927D4FD8B00635D320BEF7B245E05F174988F283B4339E1F8CED1BCE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=5.:yT.iyT.iyT.ip,QixT.iyT.iET.ip,WitT.ip,VixT.ip,GitT.ip,UixT.iRichyT.i........................PE..L....%.\...........!.....,..........-/.......@...............................`.......y....@......................... :......|3.......................6.......P..4...................................(...@............................................text....*.......,.................. ..`.data........@.......0..............@....reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_iddcx.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10660
                                                                                                  Entropy (8bit):7.072232435699263
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:2vBYcjEdZubhLtaSu9sZscF8Bd1LUEduasnZH5:B0+ZKoqZsHLUHPnh5
                                                                                                  MD5:CCC20AC60F19430FBFDA6D49F164654C
                                                                                                  SHA1:425253D81B930175321A9B54AB4B6D736D6AF8A2
                                                                                                  SHA-256:D96B2FBFDD9245EA1D46994183917340912FE9A07AC569B4F70AD51123E55EDB
                                                                                                  SHA-512:F9B9AB9DCF0286F2A5635DD8BE1DF5F7718017EC580B46A217EC4B77615F7D7F0FEF4484886884A912172BF8F6C16252AD5E982205AACAB73152F65A67951475
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........Q.E..\>.i+...171023021614Z0...+.....7.....0...0....R5.3.3.7.3.F.4.5.5.C.1.1.5.0.1.F.5.3.6.B.3.1.E.4.3.E.0.4.0.D.4.C.C.6.A.8.2.0.3.4...1..K0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........S7?E\.P.Sk1.>..L. 40V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RB.5.5.0.5.C.6.8.0.6.1.6.0.4.1.9.C.1.F.7.1.F.4.A.8.0.8.4.4.C.A.8.5.9.D.3.9.9.F.8...1..K0>..+.....7...100....F.i.l.e........l.c.i._.i.d.d.c.x...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.........P\h.......J..L.Y..0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.2.E.E.E.C.2.3

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_iddcx.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4514
                                                                                                  Entropy (8bit):3.7907010583152645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:9G2XNDctEXHQ+C2C4kqWDZXpbdl5Vjnijla4UAiI6fOgTiYqG585wg3Jp:9XcWEDNRniWI6fyw5I
                                                                                                  MD5:9CF8CFC1E0815F7D72D136DE87B08EEA
                                                                                                  SHA1:F2EEEC23EC55758E5072619B62E6851234FA6D3C
                                                                                                  SHA-256:9CA9C7A430D0B608F1A6ADDD9E2C17BF79845783356CE6230ECA1942A061B157
                                                                                                  SHA-512:6D3FEE674C83B1E68CAE7F079F74A70931D432751420300DB77DB2B237A88D81AC3CD8B4B82532DCDDEE5D1DBEF3077ACD97B5890DFA0A497B97D7594E3C15F9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..;.....;.M.o.d.u.l.e. .N.a.m.e.:.....;. . . . .l.c.i._.i.d.d.c.x...i.n.f.....;.....;.A.b.s.t.r.a.c.t.:.....;. . . . .I.N.F. .f.i.l.e. .f.o.r. .i.n.s.t.a.l.l.i.n.g. .t.h.e. .L.C.I. .I.D.D.C.X. .D.r.i.v.e.r.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....C.l.a.s.s.G.U.I.D. .=. .{.4.D.3.6.E.9.6.8.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s. .=. .D.i.s.p.l.a.y.....C.l.a.s.s.V.e.r. .=. .2...0.....P.r.o.v.i.d.e.r.=.%.L.C.I.%.....C.a.t.a.l.o.g.F.i.l.e.=.l.c.i._.i.d.d.c.x...c.a.t.....D.r.i.v.e.r.V.e.r.=.1.0./.2.3./.2.0.1.7.,.1...0...2.0.1.7...1.0.2.3.........[.D.e.s.t.i.n.a.t.i.o.n.D.i.r.s.].....D.e.f.a.u.l.t.D.e.s.t.D.i.r. .=. .1.2.....U.M.D.r.i.v.e.r.C.o.p.y.=.1.2.,.U.M.D.F. .;. .c.o.p.y. .t.o. .d.r.i.v.e.r.s.\.u.m.d.f.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...x.8.6.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.N.a.m.e.s...a.m.d.6.4.].....1.=.%.D.I.S.K._.N.A.M.E.%.,.,.........[.S.o.u.r.c.e.D.i.s.k.s.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_proxywddm.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11975
                                                                                                  Entropy (8bit):6.929505838705397
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:qRVW/ujEdZubhLtaSu9sZscF8Bd1LUY6uasnZHou49L:k+ZKoqZsHLUcPnhou4t
                                                                                                  MD5:186504237027590F25BEA0EC539256C8
                                                                                                  SHA1:A74309D7CFA8EF410EC85D3801D27291E8BC915A
                                                                                                  SHA-256:4CBD88D04F9C3B3DE3625B25049EA6B7C1614FFEA8730667BFF01DD210415ED1
                                                                                                  SHA-512:9D4B89A95DBF8D0ABFC55AE44C9CBFB29EB64AB1FFFBB81FFAB4308ED4CFD040F9A883B2B7B7A375B1675DD08532378C38410F4DB737FBDA2913EB28DE18A933
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0..p..+.....7.....a0..]0...+.....7........6Q..G...Z-.....171023021614Z0...+.....7.....0...0....R3.3.1.5.E.7.A.8.9.7.B.E.4.1.D.7.B.F.9.6.3.D.7.3.4.B.9.E.D.3.4.A.B.4.2.8.B.3.4.3...1..S0F..+.....7...1806...F.i.l.e.......$l.c.i._.p.r.o.x.y.w.d.d.m...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........3...A..=sK..J.(.C0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.1.F.E.C.F.B.D.C.E.6.5.6.6.2.5.C.6.1.8.C.1.4.4.2.3.4.D.6.E.B.9.4.3.9.B.A.C.E.2...1..Q0D..+.....7...1604...F.i.l.e......."l.c.i._.p.r.o.x.y.u.m.d...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+........q...ef%...D#Mn.C...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.6...1.,.2.:.6...2.,.2.:.6...3.,.2.:.6...4...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\lci_proxywddm.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2715
                                                                                                  Entropy (8bit):5.418922446200014
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:qnch1OKbzLbS10bzPbSvb/mwwophwwoJOxWqrz61/zA9cjiJIjgW5FH1519HS4Bc:Pcua1YuSnEhn/A7ic4d4y
                                                                                                  MD5:07DC873615C74141FB8A646F6FE1D378
                                                                                                  SHA1:7E2D32A5ACE72B7F3919215B707096B52CC3B5EC
                                                                                                  SHA-256:F97F4A79BF9ACB0D7FFB257CB3E16687F6281B8687C79361B680764F3427EF61
                                                                                                  SHA-512:8D59EBD58BFCDBD0115C22148DDFB1DE73E3D0C2AA42B2772B75F12D76BFA4FC3E8356346F0BE9B8F5631443FBCCCFD63354235E701A966CE104BDDC9A4987AD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:;..;..;Module Name:..;..; lci_proxywddm.inf..;..;Abstract:..; LuminonCore Display Proxy Driver..;..;..[Version]..Signature="$WINDOWS NT$"..Class=System..ClassGuid={4d36e97d-e325-11ce-bfc1-08002be10318}..Provider=%LCI%..DriverVer=10/23/2017,1.0.2017.1023..CatalogFile=lci_proxywddm.cat....[DestinationDirs]..DefaultDestDir = 12..lci_proxywddm.CopyFiles = 12 ; drivers..lci_proxyumd.CopyFiles = 11 ; system32..lci_proxyumdwow.CopyFiles = 10, SysWow64 ; x64-specific....[SourceDisksNames.x86]..1=%DiskId1%, lci_proxywddm.sys,,\x86..1=%DiskId1%, lci_proxyumd.dll,,\x86....[SourceDisksNames.amd64]..1=%DiskId1%, lci_proxywddm.sys,,\x64..1=%DiskId1%, lci_proxyumd.dll,,\x64..1=%DiskId1%, lci_proxyumd32.dll,,\x64....[SourceDisksFiles.x86]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1....[SourceDisksFiles.amd64]..lci_proxywddm.sys = 1..lci_proxyumd.dll = 1..lci_proxyumd32.dll = 1......;*****************************************

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):46528
                                                                                                  Entropy (8bit):6.272518240848504
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ql+LPDB5MAHFg6IWSG1ucVPajIyouwc09euwjsV3xnxhc:ql+Lt5X4WSM1a8youwzOsVxA
                                                                                                  MD5:F018A1846A12B5DFF4A5FB0343745BBA
                                                                                                  SHA1:C8E871A51E43B5E71A4D1ACA0A791B375CABAC86
                                                                                                  SHA-256:3E5D8C95805CAECFC1BF5F689F036D1831E375E573F2B0BFFA4BBB59EA36B853
                                                                                                  SHA-512:7DECEBD14950548436EB110F93A5951ABE42B6CACF8A041F77DFCE923FFB28B6B399EC3166F0D64A1B098F9671F73E43D020977D7EC093F7B786038C4A05C3B8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........N.9./.j./.j./.j.q.k./.j.q.k./.j.q.k./.j.r.k./.j.WQj./.j.r.k./.j./.j./.j'.7j./.j'.3j./.j'.0j./.j.r.k./.j.q.k./.j.q.k./.j.q.k./.j.q=j./.j.q.k./.jRich./.j........................PE..d....P.Y.........." .....X...@......@T....................................................`.........................................P...P................................#.......... ...8...........................`................p...............................text....V.......X.................. ..`.rdata...%...p...&...\..............@..@.data...0...........................@....pdata..............................@..@.gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):176576
                                                                                                  Entropy (8bit):6.124833448410162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:WSNRRE5R1pHa9i/hXYTqHDh3ikNrgfxhxe74bgGY53Urb7:WS67jsKCT2d1NsDgGY5387
                                                                                                  MD5:37CF508FA1EB389ED85F822BAF9EF9B9
                                                                                                  SHA1:1720BEFADBD467FD715CE301545BC1FF02DB4681
                                                                                                  SHA-256:FA4CAC0B0361D85CE6220809FA85DFE3B295A187A7B58DD5FE5B06A7CE19F7FA
                                                                                                  SHA-512:B90CD035F83245EEDC1FC09ADEDFAC341411CFC47D130B891B2CC83B908F9F683DFFB140AA61F11B7BD15C8A5725070A92659CC567FA58F5879A1790B56833F5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Vj..7.R.7.R.7.R.j.S.7.R.j.S.7.R.i.S.7.R.i.S.7.R.i.S.7.R.j.S.7.R.7.R.7.R.j.S.7.RMi.S.7.RMi.S.7.RMi.S.7.RHi.R.7.RMi.S.7.RRich.7.R........PE..d....P.Y.........." .....r...*.......................................................F....`.........................................`M.......M..<................(.......#...........:..8...........................@:..................X............................text...`q.......r.................. ..`.rdata...............v..............@..@.data........`.......>..............@....pdata...(.......*...J..............@..@.gfids...............t..............@..@.rsrc................v..............@..@.reloc...............z..............@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):131520
                                                                                                  Entropy (8bit):6.5166932980708925
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Si+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIo3:h+xNDVCYFB/vqIo3
                                                                                                  MD5:A9D5E6605391A4CE7E3699D5C39BA851
                                                                                                  SHA1:54950896563D61917A4A61949E8B3552BC85A061
                                                                                                  SHA-256:EA06D1A20DDDBF33AA776DE2036651F5B2A2AFF9503A2D7174C11000F92D0396
                                                                                                  SHA-512:91FB4793621E8FDE6E62074F8545C4AFB636DBFAF3C236E803325DEE7B2CB33F5F1B183D565D11195912CF6DC2BBDA8F472D844AD8AF5C7738EFCB702D71BB59
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0.......Z....@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):115136
                                                                                                  Entropy (8bit):6.395746141588922
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:7d+TsLFRVW08y8ka9xh+V3Un7C8PcYNzAR2k:R+wpCh+Vk7LPcWE0k
                                                                                                  MD5:91F0E25E7EDF20F4B262A5419CDF73F2
                                                                                                  SHA1:3D09164F4298A0EB1EEC978C1D3CA8259AABA326
                                                                                                  SHA-256:D9EF2E7A55DE74FFB18CFD2CD875089B81416B636CB6BD73A6DAFDDD5E3E0BF4
                                                                                                  SHA-512:2F4076F08EA9F3960A374F872AA547581811B4D1D225978F4FDFB5E42EF6FE79C491A53B33F7DD1E2B71BE6A281EFE29E7BF8ECFFD660D101F456AC4D456FA75
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C^./.?.|.?.|.?.|jb.}.?.|.?.|d?.|jb.}.?.|jb.}.?.|jb.}.?.|.a.}x?.|.a7|.?.|.a.}.?.|Rich.?.|........PE..d....P.Y.........."......N...N......,..........@................................................................................................(............@...........#......L.......8............................................................................text............................... ..h.rdata..d,..........................@..H.data........0......................@....pdata.......@......."..............@..H.gfids.......P.......2..............@..HPAGE.....R...`...T...4.............. ..`INIT................................ ..b.rsrc...............................@..B.reloc..L...........................@..B........................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25536
                                                                                                  Entropy (8bit):6.407648101166343
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FkVsC2/s2Abnkr+YcSIVO67k5hVEi4ZKoqZsHLErHPnhk:nP0bE+YHIO67kLcn2/hk
                                                                                                  MD5:1FB5DE2628ECB1E835B18FDA9EB0CF29
                                                                                                  SHA1:560AD3A8FC97187403754FBE2F3DBA056948B6CA
                                                                                                  SHA-256:D1ADED22243AAF4B8727B064073B9CB1C33214DA01E76D08E69996E52E774538
                                                                                                  SHA-512:E51BD203950E4D5DF2E26E59D90D8DC7E0B2D767C58688D2CBAB0BFD5ED5C884A72E029A737FCF1E04C908D7404645EDEC609A2E7C42E6BDCA1CDD04AB2169CC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;..D.|...|...|..v...~|...|..B|..v...r|..v...t|..v...~|..v...~|..v...~|..Rich.|..........PE..d....P.Y.........." .....6...........1....................................................@.........................................pC.......;...............`.......@...#...p..0... ................................................................................text....4.......6.................. ..`.data...@....P.......:..............@....pdata.......`.......<..............@..@.reloc..Z....p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):41408
                                                                                                  Entropy (8bit):6.573292469340805
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:jbWmecDs6zvVt94VbJqvhkqskgSjyzFigs2Ktmen4hI:jbM6JX0Jq5kNGcsntmer
                                                                                                  MD5:33C12C6F8271195C79B755388642FF77
                                                                                                  SHA1:ABF3438FC7FF738BF3D030AE68BB16CBF4848462
                                                                                                  SHA-256:086E922B53D801F63043D067A185893E5CD6341394B0E8C253D08D85D14B60A5
                                                                                                  SHA-512:13B8EEDF0E98476E40DAB4059C6E91C591FA1DD21844151916CA70E1440FE22FA211D53E766D37DF0E494739C7881AF340731FCCAFAE73CAF81733D9FC1E1E88
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................................................A................x)'....x) ..........[......[......[......^.-....[......Rich...................PE..L....P.Y...........!.....N...2.......E.......`......................................%.....@..........................p..T....q.......................~...#..........0l..8...........................hl...............`..H............................text...;L.......N.................. ..`.rdata..\....`.......R..............@..@.data................n..............@....gfids...............p..............@..@.rsrc................r..............@..@.reloc...............v..............@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):131520
                                                                                                  Entropy (8bit):6.516896540085767
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/i+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIo8:K+xNDVCYFB/vqIo8
                                                                                                  MD5:F67D8A541D407C6886D6358248014B8E
                                                                                                  SHA1:9E17CD44ABBE3B30E0B52FBC5A6012BEA2CFCE61
                                                                                                  SHA-256:919ACBEDDCBFE27D12EE44ECD38044D880A68622D7BC412FF81B089746C79E5F
                                                                                                  SHA-512:674D9427B3F62382AD56EA647FD131CFF2E78CF31D5E7F608191390E752C382946C4CADB26B556F670C8C4A1C9245D1857841527C755BC505295224C4256C495
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0............@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):131520
                                                                                                  Entropy (8bit):6.517207826538128
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Bi+6w0ko6NDV3yLa/xzmqFq6/5GWRlrjmLS9jYIod:s+xNDVCYFB/vqIod
                                                                                                  MD5:66541304390931345318FA3802797820
                                                                                                  SHA1:11B3116900D0BB1D9F49E39788C4C21A6B82954E
                                                                                                  SHA-256:B9CB315AD55CAD2147AAEBDCCC02055868DAF3EFD9F25384E50E80CE81EC018E
                                                                                                  SHA-512:852EF5A95F5827E8BCBC437371FFE6B3959AD41F319721E14804BD143E1597753F0DE4DA86864098F11B4F0698831529054D07B3650AECE83DAB2E5A7C51AE2A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............v.X.v.X.v.X.+.Y.v.X.+.Y.v.X.(.Y.v.X.(.Y.v.X.(.Y.v.X.+.Y.v.X.v.X.v.X.+.Y.v.Xu(.Y.v.Xu(.Y.v.Xu(.Y.v.Xp(;X.v.Xu(.Y.v.XRich.v.X................PE..L....P.Y...........!.....6..................P...............................0......."....@.....................................<........................#..............8..............................@............P..$............................text....4.......6.................. ..`.rdata..Rw...P...x...:..............@..@.data...t...........................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):88000
                                                                                                  Entropy (8bit):6.656236620722421
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:1++m+LZZ3SFkKjrZFWUwTK4gCQ7fBr8UQ6SIDXvjeIg6NhUA0d:1LL73SFHjOUaK4gNoUQ6SE7hXNhUA0d
                                                                                                  MD5:B36B39A2AA5C15D0167A7D8454AE71A6
                                                                                                  SHA1:2CD2E7DAF1762A44F4FD4FC84FFC60D84A2AEFA6
                                                                                                  SHA-256:01871A132386F81DFD4894E9DAEB9433C4BE2A99EBE8FEC954E5182A43E96AF0
                                                                                                  SHA-512:4BC14EDF6C0A9695764DEAD9C90F502DCDB7F420BD54794539183BFFECD054218290C23C57155EF982F1DAA4B479DAF80B63C7CA643F73AF2A66AC01E96926E4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................................8......=.=....8......Rich....................PE..L....P.Y.....................*.......@............@..........................p.............................................4A..<....P...............4...#...`..t... ...8...........................X...@............................................text...,........................... ..h.rdata..D...........................@..H.data...............................@...PAGE.....?.......@.................. ..`INIT....r....@...................... ..b.rsrc........P.......$..............@..B.reloc..t....`.......(..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22976
                                                                                                  Entropy (8bit):6.652405722283548
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:pMuUkfWPmqKebW1j2zAAHOOntqVOviZKoqZsHLEF0PnhjIS:VHqKyWMvUOyncIhjIS
                                                                                                  MD5:893828FDA5B4026B36C238CBED43BCC2
                                                                                                  SHA1:B485E255B2F6F1C294BC127AA2BE14A39C346F56
                                                                                                  SHA-256:CEA46DCCAF211E71DE3895C08E7C9A828C53232EDDBC90C0A6E3552826A8DDFA
                                                                                                  SHA-512:951598591F2A395F8C5F993A5BD850CED11F43433DF00CF5B12CBAB360949E305A52CDF55A675C8FE59F275432C92D479444C91F71AB39AB342200560972A6A6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=5.:yT.iyT.iyT.ip,QixT.iyT.iET.ip,WitT.ip,VixT.ip,GitT.ip,UixT.iRichyT.i........................PE..L....P.Y...........!.....,..........-/.......@...............................`.......(....@......................... :......|3.......................6...#...P..4...................................(...@............................................text....*.......,.................. ..`.data........@.......0..............@....reloc.......P.......2..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8367
                                                                                                  Entropy (8bit):7.279860186543382
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:+2A2RJoIo6vyowJL/aoxhHoe068jSJUbueqw4G:JRaD8YJLFHJ06dUb+w1
                                                                                                  MD5:092FF1A83123D816B748F0D382792543
                                                                                                  SHA1:C1D1E85955113B8AAB604107738E6B532FE5C706
                                                                                                  SHA-256:E81535236E4BDC5534677D05AB3DB67F03283E756233924945CC7D93D394DB5A
                                                                                                  SHA-512:7A24AF6CEF474663E615F9BCD5780D97D4249AE8D767EB60927A2BF7B7E66B1777486886C7A053C30301F98E22CCD5AAB7877BC47FA5000C34A707806B198864
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7...........cA.....G....081005153941Z0...+.....7.....0...0....R1.7.C.9.C.C.1.B.2.1.1.8.1.0.C.9.D.B.5.7.8.5.3.B.0.8.5.1.7.E.8.E.F.A.A.7.6.D.C.E...1..702..+.....7...1$0"...F.i.l.e........m.v.2...d.l.l...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............!....W.;.Q~...m.0....R9.6.B.8.E.2.E.D.6.3.F.5.4.B.E.B.4.E.0.8.7.7.1.2.A.D.A.7.5.2.0.C.2.3.7.9.C.5.C.4...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............c.K.N.w...R.#y..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RA.9.4.9.3.C.B.6.B.6.B.E.D.A.B.7.E.8.3.E.2.B.8.D.E.C.1.9.5.6.9.2.7.A

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26048
                                                                                                  Entropy (8bit):6.292871779652706
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:U2dFSGikkp4cE8WWk2lg0ZeE313MrnCbuSLwJiU:deeJlGMroJIiU
                                                                                                  MD5:867F3CA0E3A4B57F5BA7519B645AED66
                                                                                                  SHA1:837676FE5C7B62AFAA4D49E6AC51EDF948AD1757
                                                                                                  SHA-256:1A392E8731E4F01476C54FB4FD408F590D8530C34E3835081886A0056A91E502
                                                                                                  SHA-512:27E21584DC54D1996FDFEE2002027061A160E89BD3B7249C017D91900381102674D65282E9B623F002F392BBF8649F0092DE9CB46C70B739A42EE62A3753C8FF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9...W...W...W..=,...W...V...W..=*...W..=:...W..=&...W..=+...W..=/...W.Rich..W.........PE..d......H.........." .....2...........7............................................... .......................................................p..(............`..,....J..........<....@...............................................@...............................text....-.......................... ..h.rdata.......@.......2..............@..H.data........P.......8..............@....pdata..,....`.......>..............@..HINIT.........p.......@.............. ....rsrc................D..............@..B.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2255
                                                                                                  Entropy (8bit):5.3700497661675906
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:ehVVpvnf4+BCs00c/9XSvFhb54y83WhJhdYpBBh22wlFTP/7bp:MJfJ00Si4yMyA7DwlFLB
                                                                                                  MD5:1B4F828FC21AA28C3CE863A31C1F9D48
                                                                                                  SHA1:96B8E2ED63F54BEB4E087712ADA7520C2379C5C4
                                                                                                  SHA-256:E7F85212D7708402910830576B0BD84873C24A1339CFD3EBBE5A2939127438D4
                                                                                                  SHA-512:9CF0E701ADCBBE05652F623A34849910C657FA9536513835D18FD184FAAD47B62C28437237A78494B8E31F5E27C0BDDCD9D4CB5C5B4BEDC56EF0842553AB3064
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg,NTamd64....[stdMfg.NTamd64]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup =

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11712
                                                                                                  Entropy (8bit):6.137352195821723
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:8hD6YJoIo6vyowJL/aoxhHoe068jSJUbueqycZ:8hD6YaD8YJLFHJ06dUb+BZ
                                                                                                  MD5:4B6B1EF53636E2C5A9EB9AF291970073
                                                                                                  SHA1:868C5A226293EEB37C513E106A80B9EE9A01684A
                                                                                                  SHA-256:25444A485A800E2609AD56179146DD24C41E3E56A10969037D4914BAA452DF53
                                                                                                  SHA-512:05B3D52E62ABB995B3EA4BEBE7C3D18354124772D97287BAAF4474ADBF9BD537AC258974C1C0B2EC1C7E3779D27D411FE74550FEA77A36D06A6D99FFD0628A7F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:f.q[..q[..q[..q[..r[..V.s.t[..V.u.p[..V.e.r[..V.y.p[..V.t.p[..V.p.p[..Richq[..........PE..d...p .G.........."..................P.......................................p......cQ......................................................dP..<....`.......@......................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT.... ....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16
                                                                                                  Entropy (8bit):3.625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:setupdrv install

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1150
                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):90688
                                                                                                  Entropy (8bit):6.200545275172027
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:I/QY76jVjfCCHOLvctoA3eDDjEcUVzDOhtMRFS3CZiR3IeSkuH5ysQyMXq:I/QNjfCEoAOD0cUVWhmRLARnSDH5y1yv
                                                                                                  MD5:6C788D13DEDCD6EB9E022ACA8BD1C3FA
                                                                                                  SHA1:741A5342618A0AF7AC6E3F947FB3BC128477E237
                                                                                                  SHA-256:0BB050B230CA684DE7021D9B66303C71F408885163B20166E7047C223E0EE01E
                                                                                                  SHA-512:9CEEBC23EF82A302250291B0D3584F9CE9328DEA8850F49A3473B6B5392FCE4299AC0535A0F9AAF0A22047293DFD2AC70DF4002E21BF7B1BB1711E9984C9BC33
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nx..Nx..Nx.....Nx......Nx.....Nx..Ny.ENx......Nx......Nx......Nx.Rich.Nx.................PE..d....T.G..........#..........n.......E.........@.....................................8......................................................."..x....................L..@............................................................................................text............................... ..`.rdata...@.......B..................@..@.data...d=...@....... ..............@....pdata...............6..............@..@.rsrc................B..............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\uninstall.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):411
                                                                                                  Entropy (8bit):4.977180725182127
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kCdGk3hd0E23B1047V1j47V1u471kgAq3Gn3C:/1RqXRC4R94RQ4dAqqy
                                                                                                  MD5:2203EE251159885EF20D6970F67529C3
                                                                                                  SHA1:D775009C08D7EC7F684FC7B657DDC7BCB7DA94C6
                                                                                                  SHA-256:C3D0070A0EA5BB0708565930199C77E7DC4BFC31A6B368B2F8A7B0239E739304
                                                                                                  SHA-512:3A1BBF3F460DCDCDE1DE3D5F345973D1827EB717AB7FCA3C3DE5A12E324125EF94D7FFC34F664D5C1763790E3A4189F065DFCA4E0E7FB43E4BEC0DA32255E785
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon64.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd64.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8367
                                                                                                  Entropy (8bit):7.270789935373524
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:+90+LRJoIo6vyowJL/aoxhHoe068jSJUbueqNb:eBRaD8YJLFHJ06dUb+Nb
                                                                                                  MD5:80D00FB5201EE5E66D8230B8440A7643
                                                                                                  SHA1:0DD971723322BB0EC8D7EF71D6389F839F6EBE30
                                                                                                  SHA-256:C17A1DE10DF4DF8A51E1EE7EDB209E6DEBF34285E327A7C669EF0E04E1BED72C
                                                                                                  SHA-512:C01F6AB36E2007E18DE27B46CB51BC8896AF5666FE18F39DADB0DC90B0DAAC2AB6580F31B0B15BD83D5453932A1299AE17E8DBA298D20B656945DEB0506F6AB5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7.......r..V5B.r/.9.V...081005153046Z0...+.....7.....0...0....R8.3.5.1.9.D.3.B.C.A.9.2.3.C.F.2.9.A.9.3.D.9.2.E.A.4.1.3.A.5.C.E.D.E.5.B.B.E.0.0...1..702..+.....7...1$0"...F.i.l.e........m.v.2...s.y.s...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........Q.;.<........[..0....R8.7.E.8.4.F.A.7.5.6.B.9.8.F.1.4.3.7.F.F.8.F.8.D.D.9.A.2.D.C.B.6.D.0.6.2.8.5.1.5...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...0...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+..........O.V...7......b..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.7.9.F.6.E.3.3.5.F.D.E.2.3.6.B.8.1.F.9.D.B.0.D.4.2.F.1.4.8.4.B.7.B

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23488
                                                                                                  Entropy (8bit):6.423731919049599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:QvTfgigZKPBRDwvp5BY83HV8diQFHbsQaD8YJLFHJ06dUb+DQ:QLfpqKZRDMq6HV89HbsQSLwJiDQ
                                                                                                  MD5:55CB63E6661D7A911C74BF39986336AB
                                                                                                  SHA1:1F26A92347F58DC9616B611F1E8A29E0E6B94D67
                                                                                                  SHA-256:9C5E913DB4B4BE861EEC63C071FBCC6A3BC60A0D11949EC47251780508A83E25
                                                                                                  SHA-512:B31838612588A4CA9BB6B7D5DD0EABB69BF8FD41170FA71A0D7357D31BAFDF3075F0DE070160AFB58DAACEC5BB47EF34316E652DE9421B186F91BDCAA2BF58A2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........8..k..k..k..k..k.*.k..k.*.k..k.*.k..k.*.k..k.*.k..kRich..k................PE..L...h..H...........!.....,...........1.......@......................................^a.......................................`..(....p...............@..............p@...............................................@..p............................text....&.......(.................. ..h.rdata..q....@.......,..............@..H.data...@....P.......0..............@...INIT....r....`.......4.............. ....rsrc........p.......8..............@..B.reloc...............<..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2243
                                                                                                  Entropy (8bit):5.362010783542873
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:ehVVpvnf4+BCs0j/9XSvFhb54y83WhJhdYpBBN22wlFTP/7bp:MJfJ0di4yMyAXDwlFLB
                                                                                                  MD5:AEA986639139A63559A39BE4A9986B39
                                                                                                  SHA1:87E84FA756B98F1437FF8F8DD9A2DCB6D0628515
                                                                                                  SHA-256:78A01CCC86628727E603A74BF008DBD95B465031EFA6FB52AB9496293E8470E1
                                                                                                  SHA-512:37E092646B88E45962737ED696C575F944E15BAD3884442A60D7DE427E8669AE1B3C578CE959D2D304A7668CC84F8F3E0C220A4988D4C15197228466456B3878
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg....[stdMfg]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup = Video..ServiceBi

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11712
                                                                                                  Entropy (8bit):6.022711070794495
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:+SniyJoIo6vyowJL/aoxhHoe068jSJUbueqrII:OyaD8YJLFHJ06dUb+J
                                                                                                  MD5:B435F95592AD8E6FC3BACD4A7E89B614
                                                                                                  SHA1:287FA71A499CB6AA7E806BB6106C7401CD504ACA
                                                                                                  SHA-256:331F200BCEA80E55743CE8CCF49B18785F70CAF21C13B15FBA9A3A9D32C6A46E
                                                                                                  SHA-512:53373208640AC22F23B4C56D9C9AC32E0837314E736D14FEAF2A571594886A3D6EF42B875980D39FBE9103C101CDAED43740EB026FFFA6019503E39A85E38086
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}K..9*r.9*r.9*r.9*s.:*r.....<*r.....;*r.....8*r.....8*r.Rich9*r.........................PE..L...j .G.............................@....... ...............................p.......b......................................H@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16
                                                                                                  Entropy (8bit):3.625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:setupdrv install

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1150
                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):5.9219061141523825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:1zCCrWvSRU7VEBmGDnw29Gz07X83JlcytyCpw:1zCCrM7Uio83JljtyIw
                                                                                                  MD5:50F6A9509729A6D8D97E29AD259C6A1E
                                                                                                  SHA1:1AEADFC64CD4D6B9D878F93999A4D571936CCA91
                                                                                                  SHA-256:C8B3049C278B7E3FE2CFE4D84096A292CC14557EBCC02B8998EB14C83289EB8F
                                                                                                  SHA-512:71660BEE4D58074B05538DA18F905CBFAF1567C60AA02F7C979571F3D21AC2AD56F19B3B7FEB2430686302222932CB901B0B895C16076EF1963CC93C94311769
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p..p..p......p......p.n....p..p."p......p......p......p.Rich.p.................PE..L.....H.....................`.......<............@..........................p......z_..........................................x....`..4...............................................................@............................................text............................... ..`.rdata...0.......@..................@..@.data...d3... ....... ..............@....rsrc...4....`.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\uninstall.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):405
                                                                                                  Entropy (8bit):4.932556842608647
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kCdgk3hdyE23B1047V1j47V1u47jkgAq3Gn3C:/jR8XRC4R94RQ43Aqqy
                                                                                                  MD5:00A98380A84308DFEDB409827DB9C916
                                                                                                  SHA1:F31EC578108616125450187C709B6E133425BC25
                                                                                                  SHA-256:948C84A52F8847798150629B396E29857C0C7EB77550276A000E02B2B9C85A4E
                                                                                                  SHA-512:73AFAEB0394B470102A05D6E7F1195E60BEFE5469241C5ED182032AC80E54196945E7E9AA9AC2391DC13528E06F3D6C165C4083ECFE6B6F07A1E8F2E30AA5A8E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8403
                                                                                                  Entropy (8bit):7.26515273733877
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:VafwaRJoIo6vyowJL/aoxhHoe068jSJUbueqO0:VQRaD8YJLFHJ06dUb+O0
                                                                                                  MD5:9B3AB5B97500F2C39C75EA2910BC6420
                                                                                                  SHA1:42267EA620E0EF5B0F4DBF25B705F1B3C4D03649
                                                                                                  SHA-256:32557B63B75CE1DBB761C22092E130561FE6B156CD1D0F96E809E8D0A32E89A6
                                                                                                  SHA-512:BFEBCC8BA47E7E0F7FA6218E2A057C3ADD8C570B839ACA3F159495024028A9F6408143FB7A34F2EAD66278401898150A497339BEF3E671A3212055EC73056009
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0.....+.....7.....v0..r0...+.....7.........8U<F..n1.L.\..081005153929Z0...+.....7.....0...0....R4.7.2.9.5.6.B.E.1.5.7.7.9.6.F.0.3.4.9.B.9.C.D.9.3.0.D.5.0.9.5.1.B.6.2.F.6.9.B.D...1..C02..+.....7...1$0"...F.i.l.e........m.v.2...d.l.l...0>..+.....7...100....O.S.A.t.t.r........2.:.5...1.,.2.:.5...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........G)V..w..4...0..Q./i.0....R9.6.B.8.E.2.E.D.6.3.F.5.4.B.E.B.4.E.0.8.7.7.1.2.A.D.A.7.5.2.0.C.2.3.7.9.C.5.C.4...1..;02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.5...1.,.2.:.5...2...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+............c.K.N.w...R.#y..0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.F.A.3.A.B.F.9.9.C.2.4.E.2.7.D.8.6.3.9.B.2

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25536
                                                                                                  Entropy (8bit):6.314384276589044
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:jdxcojc4oPxNtS4v28b3pnd6DABnOSLwJiz:jdj9oPxjNv2YnPdpIiz
                                                                                                  MD5:52E972E497645851FA910787CC2050E0
                                                                                                  SHA1:1CE9A93996DFC5F24DF8CAD16E15555BE368B956
                                                                                                  SHA-256:B0C07A2912B4EC67CA8A37B890DB33A62CC0DB3A733CD6D146FF6F865D6E4B88
                                                                                                  SHA-512:4CADF2BFA9056A1756BB79C4EB2842E8A9A132544305EAB0F1433AF2C890B24DA3614E5E241A86358CF47FBF7F0A783102850346CAB2FA04B1AEDC9B81C79E94
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9.].W.].W.].W.].V.F.W...,.^.W...:.Z.W.....\.W.../.\.W.Rich].W.........PE..d......H...........!.....2..........0=..............................................g'.......................................................p..(............`..,....H..........<....@...............................................@...............................text....-.......................... ..h.rdata.......@.......2..............@..H.data........P.......8..............@....pdata..,....`.......<..............@..HINIT.........p.......>.............. ....rsrc................B..............@..B.reloc...............F..............@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2255
                                                                                                  Entropy (8bit):5.3700497661675906
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:ehVVpvnf4+BCs00c/9XSvFhb54y83WhJhdYpBBh22wlFTP/7bp:MJfJ00Si4yMyA7DwlFLB
                                                                                                  MD5:1B4F828FC21AA28C3CE863A31C1F9D48
                                                                                                  SHA1:96B8E2ED63F54BEB4E087712ADA7520C2379C5C4
                                                                                                  SHA-256:E7F85212D7708402910830576B0BD84873C24A1339CFD3EBBE5A2939127438D4
                                                                                                  SHA-512:9CF0E701ADCBBE05652F623A34849910C657FA9536513835D18FD184FAAD47B62C28437237A78494B8E31F5E27C0BDDCD9D4CB5C5B4BEDC56EF0842553AB3064
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=04/11/2007,6.0.1.0..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg,NTamd64....[stdMfg.NTamd64]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup =

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11712
                                                                                                  Entropy (8bit):6.137468737457105
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:8CvhDWQJoIo6vyowJL/aoxhHoe068jSJUbueqEQ:hhDWQaD8YJLFHJ06dUb+EQ
                                                                                                  MD5:0469611E7DC0A882D123DC89FE386C01
                                                                                                  SHA1:7059D4EFBE980F3A355CF8401A33F7EA1E129CD9
                                                                                                  SHA-256:BFFA6606A5CCD1F79EF7D0F591BD6EE8FDE28C266EA8C8608D423321174CB87C
                                                                                                  SHA-512:FA1ED8E1A312497A1DCFB73F12D545BA298063250FCDC9E03B4EC71DD86C91743104EB322351F4AD1E33CDD3E412E92595EBA03EE860D013B0A2646BCB467327
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.g'..g'..g'..g&..g'...\..g'...J..g'...Z..g'...J..g'...V..g'...[..g'..._..g'.Rich.g'.........................PE..d...0 .G.........."..................P.......................................p......u.......................................................dP..<....`.......@......................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata.......@......................@..HINIT.... ....P...................... ....rsrc........`......................@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16
                                                                                                  Entropy (8bit):3.625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:setupdrv install

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1150
                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):90688
                                                                                                  Entropy (8bit):6.200844475591763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:D/QY76jVjfCCHOLvctoA3eDDjEcUVzDOhtMRFS3CZiR3IeSkuH5ysQyMK:D/QNjfCEoAOD0cUVWhmRLARnSDH5y1y3
                                                                                                  MD5:137E02F6D5D1BEB5F8096AA34C93545C
                                                                                                  SHA1:8550A23A017B440A7D558F4DBC959C643262D803
                                                                                                  SHA-256:9CE571A987AEE98698D1A70D39A744A416136370D5659B23DE8C1CC523CEEB83
                                                                                                  SHA-512:38DD0F680C3D906307B0BDD835E035D154F0F65DCB69D25455D81F50F6E1ECC3854A507A26B2C1FE029B05EC1BC7ABB974DDB2190BC06B5808C4A14E243E808D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...Nx..Nx..Nx.....Nx......Nx.....Nx..Ny.ENx......Nx......Nx......Nx.Rich.Nx.................PE..d....T.G..........#..........n.......E.........@....................................._......................................................."..x....................L..@............................................................................................text............................... ..`.rdata...@.......B..................@..@.data...d=...@....... ..............@....pdata...............6..............@..@.rsrc................B..............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\uninstall.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):411
                                                                                                  Entropy (8bit):4.977180725182127
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kCdGk3hd0E23B1047V1j47V1u471kgAq3Gn3C:/1RqXRC4R94RQ4dAqqy
                                                                                                  MD5:2203EE251159885EF20D6970F67529C3
                                                                                                  SHA1:D775009C08D7EC7F684FC7B657DDC7BCB7DA94C6
                                                                                                  SHA-256:C3D0070A0EA5BB0708565930199C77E7DC4BFC31A6B368B2F8A7B0239E739304
                                                                                                  SHA-512:3A1BBF3F460DCDCDE1DE3D5F345973D1827EB717AB7FCA3C3DE5A12E324125EF94D7FFC34F664D5C1763790E3A4189F065DFCA4E0E7FB43E4BEC0DA32255E785
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon64.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd64.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8367
                                                                                                  Entropy (8bit):7.272037405136225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5otYRJoIo6vyowJL/aoxhHoe068jSJUbueqY:nRaD8YJLFHJ06dUb+Y
                                                                                                  MD5:89A312ED78E1EDAC37DE5FD1D3E4E0EB
                                                                                                  SHA1:0F913D609437D8B4C2D9675E66C650C6344B93D5
                                                                                                  SHA-256:065C1A3537BAE5BB645DAC15E068DE3CAEA40E460DF130A05D3CBFE15831E747
                                                                                                  SHA-512:A20DF9DEA384F8B52F287A2E16076CA32BF965B46A46B28BF49A1F18F342AA1E19A1B7FA7AD303AC3AB91364D5C18BCF62083360AF54DC5EA9236BD90AB35A1B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0. ...*.H........ .0. ....1.0...+......0..a..+.....7.....R0..N0...+.....7.....H.`.O.N@...B...b..081005153452Z0...+.....7.....0...0....R1.E.2.1.E.3.7.E.C.2.C.6.8.4.8.9.E.7.6.D.5.E.C.A.0.4.D.A.3.5.1.6.B.9.4.3.2.7.5.F...1..702..+.....7...1$0"...F.i.l.e........m.v.2...s.y.s...02..+.....7...1$0"...O.S.A.t.t.r........2.:.5...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........!.~....m^...5..C'_0....R4.5.3.D.8.9.E.E.3.3.4.F.4.7.2.4.3.C.6.C.C.C.5.3.4.A.D.4.D.4.6.9.B.E.3.0.9.7.2.6...1../02..+.....7...1$0"...F.i.l.e........m.v.2...i.n.f...02..+.....7...1$0"...O.S.A.t.t.r........2.:.5...1...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........E=..3OG$<l.SJ..i.0.&0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R7.B.0.9.9.7.8.F.8.B.F.D.A.2.5.3.F.D.5.7.9.1.3.5.3.1.2.9.3.B.F.2.6.5

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20288
                                                                                                  Entropy (8bit):6.695099027186018
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:w69hD4isesPZlFwQUWeFtdg4uS8fHt9ndIeBq6H7LFhaD8YJLFHJ06dUb+C1:w6WesRlFwQg1buSCH3nWB6bLPSLwJi2
                                                                                                  MD5:775286759FF1211C25A8D65D29024FD0
                                                                                                  SHA1:1E8A304D9DBCF3C0AA09AA10304B09B99995C54F
                                                                                                  SHA-256:9581581926651D7A2887FD51CE2D7A330333E47C4F91FB34D7B20C058D9B96D2
                                                                                                  SHA-512:54D4D0A0547311A6B19D5CB196E98DEF93EB5311F1328FA2B3674E81E157D266B2D8CF78E08E547F3BFE21CA716D4679674B23BCE196D612184840E578DAA806
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................9.b.}...}...}...}...g.......~.....S.z.....R.|.....V.|...Rich}...................PE..L......H...........!.....$...........%.......&...............................3......Jk.......................................,..(....................3.......2......p&...............................................&..l............................text...R!.......!.................. ..h.rdata..q....&.......&..............@..H.data...0....(.......(..............@...INIT....^....,.......,.............. ...

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2239
                                                                                                  Entropy (8bit):5.36119317959271
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:ehVVpvn2vF+BCs0j/9XSvFhb54y83WhJhdYpBBN22wlFTP/7bp:MJQ20di4yMyAXDwlFLB
                                                                                                  MD5:D6AEB05521710E2006B4A9E8C07C68C4
                                                                                                  SHA1:453D89EE334F47243C6CCC534AD4D469BE309726
                                                                                                  SHA-256:F34C416888AEBE90A29948D95BEB8343B7B49CF7E1BB5193716FD97F0330E842
                                                                                                  SHA-512:13C61423D966A5A670BED20535BF6EA211FAAAC15CAD7D2E1124A855A27360CD7B97BFE01E5EE368A139DE9CA07B236427A2BEAEAD19F7C72FD610876696D82D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; mv2.inf..;..; Installation inf for the Mirror graphics adapter...;..;....[Version]..Signature="$CHICAGO$"..Provider=%Cyberfox%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=05/25/2004,1.1..CatalogFile="mv2.cat"....[DestinationDirs]..DefaultDestDir = 11..mv2.Miniport = 12 ; drivers..mv2.Display = 11 ; system32....;..; Driver information..;....[Manufacturer]..%Cyberfox% = stdMfg....[stdMfg]..%Winmv2% = mv2, mv_hook_display_driver2....;..; General installation section..;....[mv2]..CopyFiles=mv2.Miniport, mv2.Display....;..; File sections..;....[mv2.Miniport]..mv2.sys....[mv2.Display]..mv2.dll......;..; Service Installation..;....[mv2.Services]..AddService = mv2, 0x00000002, mv2_Service_Inst, mv2_EventLog_Inst....[mv2_Service_Inst]....ServiceType = 1 ; SERVICE_KERNEL_DRIVER..StartType = 1 ; SERVICE_SYSTEM_START..ErrorControl = 0 ; SERVICE_ERROR_IGNORE..LoadOrderGroup = Video..ServiceBinary

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10304
                                                                                                  Entropy (8bit):6.601225217483284
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:M46n7JoIo6vyowJL/aoxhHoe068jSJUbueqBfg:TW7aD8YJLFHJ06dUb+W
                                                                                                  MD5:8CD0D603FF051F283CAEE66853622D65
                                                                                                  SHA1:2BAE5B78077F08564AA8DA2DBD8E91C4692BB211
                                                                                                  SHA-256:9CF391A95C44F449827004632A3995C66223D24A09CB309CBA2227C94079857E
                                                                                                  SHA-512:108DC92D80352C3FB2D3EA06B545AA1C19C492506CD0F9C71BF00FF38C97B7BAA840ABD9B33B1E3CE4A154860F1C9301C3504CD1738CC887870025226EA36C32
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$.......................................................................................................................................................................................................................................................................................................................................................................................................}>..9_..9_..9_..9_..:_...P.<_......;_.....8_.....8_..Rich9_..........................PE..L...X .G...................................................................................................................H...<...............................(....................................................................................text............................... ..h.rdata..............................@..H.data...............................@...INIT............................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16
                                                                                                  Entropy (8bit):3.625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6FMLVJ:uMLVJ
                                                                                                  MD5:903B157DCA56861C845179D4D1C5E930
                                                                                                  SHA1:E6B5ED1511F1F14F0436CA474FF457CB340E7C60
                                                                                                  SHA-256:8402E0C9189FA6EF6EF8E955606C5A20F880F1106EA5F81304E42A0864F078F8
                                                                                                  SHA-512:53F5BE22FD9B12FF9D084A65BE63BFA7A9B5489A5D95263343EE0DB3CE749B1B6D0999AC3CC34B23A4A970F3F02DD7ED1199269C12C8B59313FF58B225774006
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:setupdrv install

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with very long lines (396), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1150
                                                                                                  Entropy (8bit):4.872615036376876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:0oSneisewrWYSaizLwupc5KEQbEE+H+s+joMyyeDbE7upgO8+jaUZN:2sQ1Rpc5DQo9+s+1yy7ipgl+NL
                                                                                                  MD5:624A16979822CA9E244602EF815E4FCF
                                                                                                  SHA1:FF39FD4A7EE12C5190144E2F28AB5D7DB2A3F435
                                                                                                  SHA-256:18D357C3792C89E9A8FC127E65A81BE919BEC7166E537ECA080478E0370E61C6
                                                                                                  SHA-512:491EB3288F3753FB18DF1E1F634C07ECA7FF6970C6CE6778E0EB0C4FB1EC0A8E490C1273A0183CAC221DB8750B03FCDE5B7B03FBF8A98A5C43048523C7CE37C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1. GRANT OF LICENSE:......RDV-Soft hereby grants Ultr@VNC Team -non-exclusive, royalty-free, worldwide, perpetual license to distribute, use the software product "Mirror driver" in binary form for their remote controle software. Ultr@VNC Team hereby grants the end-user the right to use and distribute the software product "Mirror Driver" with "Ultr@VNC"..... ....2. LIMITED WARRANTY......NO WARRANTY. To the maximum extent permitted by applicable law, We expressly disclaims any warranty for the SOFTWARE PRODUCT "Mirror Driver". The SOFTWARE PRODUCT "Mirror Driver" and any related documentation are provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties of merchantability or fitness for a particular purpose...NO LIABILITY FOR CONSEQUENTIAL DAMAGES. To the maximum extent permitted by applicable law, in no event shall we be liable for any damages whatsoever (including, without limitation, damages for loss of business pro

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):5.9219061141523825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:1zCCrWvSRU7VEBmGDnw29Gz07X83JlcytyCpw:1zCCrM7Uio83JljtyIw
                                                                                                  MD5:50F6A9509729A6D8D97E29AD259C6A1E
                                                                                                  SHA1:1AEADFC64CD4D6B9D878F93999A4D571936CCA91
                                                                                                  SHA-256:C8B3049C278B7E3FE2CFE4D84096A292CC14557EBCC02B8998EB14C83289EB8F
                                                                                                  SHA-512:71660BEE4D58074B05538DA18F905CBFAF1567C60AA02F7C979571F3D21AC2AD56F19B3B7FEB2430686302222932CB901B0B895C16076EF1963CC93C94311769
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p..p..p......p......p.n....p..p."p......p......p......p.Rich.p.................PE..L.....H.....................`.......<............@..........................p......z_..........................................x....`..4...............................................................@............................................text............................... ..`.rdata...0.......@..................@..@.data...d3... ....... ..............@....rsrc...4....`.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\uninstall.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):405
                                                                                                  Entropy (8bit):4.932556842608647
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kCdgk3hdyE23B1047V1j47V1u47jkgAq3Gn3C:/jR8XRC4R94RQ43Aqqy
                                                                                                  MD5:00A98380A84308DFEDB409827DB9C916
                                                                                                  SHA1:F31EC578108616125450187C709B6E133425BC25
                                                                                                  SHA-256:948C84A52F8847798150629B396E29857C0C7EB77550276A000E02B2B9C85A4E
                                                                                                  SHA-512:73AFAEB0394B470102A05D6E7F1195E60BEFE5469241C5ED182032AC80E54196945E7E9AA9AC2391DC13528E06F3D6C165C4083ECFE6B6F07A1E8F2E30AA5A8E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\devcon.exe remove mv_hook_display_driver2 >> inst.log....\utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End....\utils\DIFxCmd.exe /u driver\mv2.inf >> inst.log..:End....sc stop mv2 >> inst.log..sc delete mv2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28904
                                                                                                  Entropy (8bit):6.117643529522381
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:e+YCxM04ZZNXkvT4cTMUBZ17XM/Q3HUL+drIKumXOs:eULtXFULWfZ
                                                                                                  MD5:87FC012C1B45E780B6CFF6C4F1677C3B
                                                                                                  SHA1:C8EDB2EA85AE5EC17232F6E4CC5594AFB4805936
                                                                                                  SHA-256:D09E57690C0E9D6FF7EF26C7DD85F2E6D19C8E7B36CC298AEBAE04B16D59CA45
                                                                                                  SHA-512:9CD0590444B5FC79CDCD98196D43B027FA17091B49C5246CF9AE97128131BE851D7547BFB5896A2400045CE38901D74A61AEE2DE7D833B178CBDC6EFCC30CBAA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sk..7...7...7...>rn.0...7.......>rz.4...>r|.4...>rj.3...>r`.6...>r}.6...>rx.6...Rich7...........................PE..d...@.@R.........."......8......................................................................................................................(.......8....P..X....T..........(....1...............................................0...............................text...F........................... ..hNONPAGED..... ...................... ..h.rdata.......0......................@..H.data........@....... ..............@....pdata..X....P.......$..............@..HPAGE....G....`.......(.............. ..`INIT.................D.............. ....rsrc...8............L..............@..B.reloc..t............R..............@..B........................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):193
                                                                                                  Entropy (8bit):5.2470977727549695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dYV0K8G6Pm/mec99KfRFQi64hA3C:kid40K8GteerfUibA3C
                                                                                                  MD5:1E14B5A16092F96F382E7CC1291A2B8B
                                                                                                  SHA1:5CBD16AE4C6570AF42D6DC61C64AC2660FD88F60
                                                                                                  SHA-256:D547136F9EDF4066EF4E59864EED1D45EEBAE7FBB338F0068C925B6E6212A0CE
                                                                                                  SHA-512:1B5222F0F87C6C4A651868DFF84A7BB69A3C913257F0665DD955AF411AD9FC7D19AA1242F362BA676474CCEDDAC51D2B3A1AAEBA11BAEFEF899C6D5C0F083509
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe update stdpms.inf *PNP09FF >> inst.log..reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "BlankScreenType" /t REG_DWORD /d 2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):207
                                                                                                  Entropy (8bit):5.345831283284553
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dRLw0K8G6Pm/MWyec99KfRFQi64hA3C:kidm0K8GtfyerfUibA3C
                                                                                                  MD5:0270238B2339619D2CC54585124D1ED3
                                                                                                  SHA1:657F624CD74BADB8CB0186731FEDA17A997AD929
                                                                                                  SHA-256:01D2B51A0E18924936C30611457CAD5C5CC2A803C4CFD45E0850A92F6C55B6D7
                                                                                                  SHA-512:52A05F90023926CE9274C64CDE925C2C6055439201AF932459D4FED3D823D08164C76695FFEBA1763C4F9D76D52AAB2F86E230603E3DC2FB7664256E1856CFF8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe update stdpms.inf *PNP09FF >> inst.log..reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "BlankScreenType" /t REG_DWORD /d 2 >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8925
                                                                                                  Entropy (8bit):7.166871854157093
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:dBsB42FHECwUnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lfr9mlv4:kB4UwUnYPL/p1P6j7Tmu
                                                                                                  MD5:38BEB031E625E814CFA8F84CEEE2B8FF
                                                                                                  SHA1:103C875EE0378BA5375A34E731FB2AFFC07939E1
                                                                                                  SHA-256:D441726A3E82AF0DF1C60EDD17B753E59827789BC50E3E79FE957319085F9091
                                                                                                  SHA-512:45DAD2545DB7B3A43DA22FB04518320BFE7E601AF053866253A52F887EE7C8919587AB11C448D335758BEFE2633D3D176B022F2E29D2B920F6164A6101F7CC41
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0."...*.H........".0."....1.0...+......0..j..+.....7.....[0..W0...+.....7.......L.L..O..Jm. Ym..130924010058Z0...+.....7.....0..S0....R3.7.4.F.E.D.7.A.4.4.6.6.9.F.1.A.C.7.B.0.7.2.B.0.C.7.1.8.5.5.F.5.B.6.B.0.3.5.C.8...1..m08..+.....7...1*0(...F.i.l.e........s.t.d.p.m.s...s.y.s...0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........7O.zDf...r...U...5.0....R7.C.8.2.3.8.E.F.3.2.B.A.3.9.C.D.9.C.9.4.D.D.0.5.4.5.0.A.7.D.E.0.E.D.E.1.4.5.D.4...1..e08..+.....7...1*0(...F.i.l.e........s.t.d.p.m.s...i.n.f...0a..+.....7...1S0Q0,..+.....7........<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+........|.8.2.9....E.}...E.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1897
                                                                                                  Entropy (8bit):5.40875279355006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:jshokavrehezNkgyfROQ9gHwuMgHPgHh2v6YgFR:jMokCcakgMgyIMsAegn
                                                                                                  MD5:A68830A694AB983F0CBF2CC735A535E8
                                                                                                  SHA1:7C8238EF32BA39CD9C94DD05450A7DE0EDE145D4
                                                                                                  SHA-256:6F5CA12FFDFF830B32F02AF03C7B385819CC07BB51AC72A20D69B9C51B2E4112
                                                                                                  SHA-512:581478C5A9488227D0C56E34B7AE353C3FA7068D84023AEC14390B31D24B65BED82FD39590C5A7C4875AD25DEF17FC67ACC97C327D4282AD1E11DD9C260A714C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$WINDOWS NT$"..Class=Monitor..ClassGUID={4d36e96e-e325-11ce-bfc1-08002be10318}..Provider=%splashtop%..DriverVer=06/19/2013,1.0.0.1..CatalogFile=stdpms.cat....[SourceDisksFiles]..stdpms.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,64bits....[DestinationDirs]..DefaultDestDir = 10..CopyFunctionDriver = 12....[Manufacturer]..%splashtop% = Vendor, NTx86, NTAMD64....[Vendor.NTx86]..%splashtop.DeviceDesc%=stdpms.Inst, *PNP09FF....[Vendor.NTAMD64]..%splashtop.DeviceDesc%=stdpms.Inst, *PNP09FF....[stdpms.Inst]..CopyFiles=CopyFunctionDriver..AddReg=stdpms.AddReg....[stdpms.AddReg]..HKR,,DevLoader,,*ntkern..HKR,,NTMPDriver,,stdpms.sys..HKR,,Description,,%splashtop.DeviceDesc%....[stdpms.Inst.NT]..CopyFiles=CopyFunctionDriver....[stdpms.Inst.NT.Services]..Addservice = stdpms, 0x00000002, stdpms_Service_Inst....[CopyFunctionDriver]..stdpms.sys,,,2....[stdpms_Service_Inst]..DisplayName = %splashtop.SvcDesc%..ServiceTyp

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23272
                                                                                                  Entropy (8bit):6.296320987470735
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:G7yGlvIydpSkgTyLAykFsAZNOhFB8LHFnYPL/p1P6j7rflo:KyGlvIydQkgTgQFJjrFumXflo
                                                                                                  MD5:F44EC7AB90115F60EE5C89C40326E637
                                                                                                  SHA1:01BEC4EA8173F191321300587142A6E750728854
                                                                                                  SHA-256:C870FAFAD5C6DB27954C0440D9EFDDCE7B9C61D754EF0E77ABF18EFA1055DD90
                                                                                                  SHA-512:17FD122441EB1B2DBEAD9D79E0B8DB2CB0D581B930DF140069BD77440AA4F9BF4DB80784F261F57253CF3351546817238AAC81B2D68DA74884C46D514C9A9EDA
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$................................fd......ft......fc......ff.....Rich....................PE..L...>.@R.................*...........p.......0..............................................................................p..(.......8............>...............0...............................................0...............................text...l........................... ..hNONPAGED..... ...................... ..h.rdata.......0......................@..H.data........@......................@...PAGE.........P...................... ..`INIT.........p.......,.............. ....rsrc...8............4..............@..B.reloc..|............:..............@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):429
                                                                                                  Entropy (8bit):5.13651514908582
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kWgfeVKfDFGjdCi4eGjdyE23B1047V1j47V1u477lLWNi:ZoDowvei8XRC4R94RQ4h9
                                                                                                  MD5:F42F2B0F25E41755569A7775A5C6F8BA
                                                                                                  SHA1:B630C60A3375309731B0B7AC33A9D6E12B44ED50
                                                                                                  SHA-256:F026A21D6037169A81AC862A79E4F47C674B34914C1DED36BCDDB8739C838F46
                                                                                                  SHA-512:8D9B9335D4767ACFCF651DB62B2B710CC9ECB402980D6A98982A1EA1C0A6F64FBA9762F2A44673CFE5749EE742F5FE68031FCFF968B4B4D2A290E74A0192375B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..reg delete "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /v "BlankScreenType" /f >> inst.log..utils\devcon.exe /r remove *PNP09FF >> inst.log..utils\devcon.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End..utils\DIFxCmd.exe /u stdpms.inf >> inst.log..:End

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):447
                                                                                                  Entropy (8bit):5.223602249135668
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kWgMyeVKfDFGjdd4eGjd0E23B1047V1j47V1u477DLWNi:Z3EDoQeiqXRC4R94RQ4P9
                                                                                                  MD5:3ADA65DC27A4580E1CF3FDC58A4A8C79
                                                                                                  SHA1:C1D8A0723FE1C586CEA434297CEF96E4E25C847D
                                                                                                  SHA-256:21D46DA2DC3808664C0D6028271BE0EEAB25DEFE60653E481238EEE96273E609
                                                                                                  SHA-512:B55E5E2CD2C1E48C526DEA70C075810F019942A72C2B0BBEF31E2DC8337B104ED5EB199AD6F0D8A16C6DFF3353193E647011A3E80762E47C9E7C13C6FCD4DBB4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..reg delete "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /v "BlankScreenType" /f >> inst.log..utils\devcon64.exe /r remove *PNP09FF >> inst.log..utils\devcon64.exe rescan >> inst.log..ver | find /i "5.1." > nul..if %errorlevel%==0 GOTO End..ver | find /i "5.2." > nul..if %errorlevel%==0 GOTO End..ver | find /i "6.0." > nul..if %errorlevel%==0 GOTO End..utils\DIFxCmd64.exe /u stdpms.inf >> inst.log..:End

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):207184
                                                                                                  Entropy (8bit):6.508603224700573
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:SJzsVxRROApObap+CPSxzqNJ3pvfsFMV2+/SRVDB:SEOb5x2NxqFMi
                                                                                                  MD5:BDF578CA45021464EB4C5F2725FADE13
                                                                                                  SHA1:17FD8DD28EBE232EDB4A7D5B4A9734D6F48212F3
                                                                                                  SHA-256:F9711EC83463C8D7D8D3C2E0493BBDD9C55D55869AD49E327CC1F0612A836B51
                                                                                                  SHA-512:611999852027F5E52A786F4C22A77AF75EE3ECB1584AC1F061100248D19AA1C45C31665A38A46604B1D489A049D3CE00EF43DA7A5E427A3A7C1A5EFA0D874526
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.5.3..<.....5.3.*..5.%.B..5.4.=..5.".k..5.2.=..5.7.=..Rich<..................PE..L....N.\...........!.........v......8........................................P............@.........................@...}...\...........................P.... ......@................................T..@............................................text............................... ..`.data....>..........................@....rsrc...............................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214992
                                                                                                  Entropy (8bit):6.578816818366091
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:1yYZVBVmekQ5ncHc43wAmaxEJg3tNqYU51pQ8DfqXF7q9B24CvJ6BAQ:1y8Vf1uTHNqYUH+8GeMvJ4t
                                                                                                  MD5:DDBCBCED9CCBA27D296B680D04178B1D
                                                                                                  SHA1:5BE1EF49678E4F9250B675DFE595DF1219DD7EF9
                                                                                                  SHA-256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
                                                                                                  SHA-512:B913058A50A4235925F208E9FA8740DDA1A070168285401FD9C9032C0CC782887F5D92A0D68796D7473E61EE8DDC1E863503C288CAD1F99C233A0DEDE37CB314
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mX.])9r.)9r.)9r.oh...9r.oh..<9r.oh...9r. A..&9r.)9s.G9r.$k...9r.$k..(9r.$k..(9r.)9..(9r.$k..(9r.Rich)9r.........................PE..L...-..Z...........!................(C...............................................:....@.............................Y............P...............0.......`..........8...........................8...@............................................text...p........................... ..`.rdata...e.......f..................@..@.data....4..........................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):147280
                                                                                                  Entropy (8bit):6.480280521349599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Sooboos//G/jWDiNza6LR07qZ2bzl409+E/PXwCSp6WKsAqHew+1l7niE:SooyFiJRmbzl4mZYYqHz+1l7iE
                                                                                                  MD5:4359D841792BD3A711065BD347503ED4
                                                                                                  SHA1:ED3DA69B4DAAEE1E3C6A35B9B22A3608C210B845
                                                                                                  SHA-256:D8BAC61DF2126D9203B3823AA40AF05FE7B6F9C5122DEBAB5F8CEADD1119773B
                                                                                                  SHA-512:F1FB6B25199CDBD0C40CCCEB069CF3DC32DEEDC2F21C67CC8C22A189115389795B435631EEA30A94EDE19331FACF475A4BD7163522D9AD0EC1DF6118D1E05EAB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V..V..V..._..V..V..V...Y..V...O..V...^..V...H..V...X..V...]..V.Rich.V.........................PE..L....N.\...........!.........`.......q.......................................p......Y.....@.............................{.......x....0..............."..P....@......................................P>..@............................................text...;........................... ..`.data...@2..........................@....rsrc........0......................@..@.reloc..D$...@...&..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):160080
                                                                                                  Entropy (8bit):6.481630469427064
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:CizpEi8PNuoyZLy39r4BRyFr8Tjqe1LP+0hORlE:CUpX8FYFyB8T2oyRa
                                                                                                  MD5:1E478E7F7D20800B958E2D1780C805F6
                                                                                                  SHA1:F166DB5211F695BA039DC81C246653EC1B25DC02
                                                                                                  SHA-256:9989C6791433F8B7FD05F4750F79F9082DBD28087948A366EA695EAC983150CD
                                                                                                  SHA-512:852EFB6AE48B3C4BAD4B8E11DC46AAA4CA37A501AFD568B469BB9ED43A27086916588F370286DD1F51834037777C4D2518310A37A469AE7BE19CFE36F08A98D3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....j..j..j.z...j..k...j.z...j.z....j.z...j.z....j.z...j.z...j.Rich..j.................PE..L....N.\...........!.........b......%........ .......................................r....@.............................z............`...............T..P....p.......................................C..@............................................text............................... ..`.data....2... ......................@....rsrc........`.......&..............@..@.reloc..t&...p...(...,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):194896
                                                                                                  Entropy (8bit):6.4942111692959354
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:0w8OfdMjstdIxIImJZDpwmw6jse70oSzhiVjkXIS1qPfb3PPqFSqQovoRe9C86/9:0w8wZDxspqPfbuSqQCoSz6/e1+1FiAx3
                                                                                                  MD5:F0FCF6CB5986E267A978A0DF86471563
                                                                                                  SHA1:214F4BB84F7A1981D30B7C4BC13C7B3E4A5CC8B3
                                                                                                  SHA-256:34E4A968A87692DA8A2EF073ADD7E19F32009709B50F7C747D1D8BF261C21CBC
                                                                                                  SHA-512:529DFD1E587BE6EA67B464C44CC7A0C1B0F6A9CD663590E7BD0083CC7A68DD8F60FC1E81E26012D71CF5C8BD5EFF4B2FB477D5DBEF3FFA1FF4136CE266B5DA6F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c!...O..O..O.z...O..N...O.z...O.z....O.z...O.z....O.z...O.z...O.Rich..O.........PE..L....N.\...........!.........h......Z}....................................... .......g....@.............................|............... ...............P.......4... ................................M..@............................................text...<........................... ..`.data....3..........................@....rsrc... ...........................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):245584
                                                                                                  Entropy (8bit):6.433639873152362
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:0w+rqKMvEZF6VPvVpb1eTjLp8D3qkTmII9b9zC+l+smDP00IPWx2Wuw:0drWgFEPNB+MPTHIWjP00Ie3
                                                                                                  MD5:FE4F22128776F52062DD8FA74D0B5075
                                                                                                  SHA1:3A15B1AD0B5D62D474319A3DB95D985B49537BF1
                                                                                                  SHA-256:EC4D01234426AAC9FF2751B209B0484769BEE97A0DC930B1B56A1743CD24B805
                                                                                                  SHA-512:163A78CB59061B4B9BE98DC763109744BBBEEDAF8B3CB7EB19A22334AC1F9223880C0E8684FEB4B363C824D9918E72E1B94D5F76AD63235F8C49ADEFC3713637
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.Cr.Cr.C{.2Cy.Cr.C..C{.4Cg.C{."C..C{.3Cs.C{.%C*.C{.5Cs.C{.0Cs.CRichr.C................PE..L....N.\...........!.........................0............................................@..........................(..k.......x........!..............P........,.. ...............................xO..@............................................text...+........................... ..`.data....@...0...$..................@....rsrc....!......."...B..............@..@.reloc...=.......>...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):238928
                                                                                                  Entropy (8bit):7.071067596161183
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:OG9NqQQHPItXExQNj+mB92u+CW5D37LnuHc45X0T5/uyFNJpfUarTtBB:99AP2b+mBQVJLnYlETtug5T
                                                                                                  MD5:2A397EFDA6D84A15B890D56D4292BA6E
                                                                                                  SHA1:F985E4893119E6C30191DE84DA25059B33F902A8
                                                                                                  SHA-256:398AEC7557E2E1DB30EFCA6FDA0D7D23940B863B396C1A4FC2BB588294F595E6
                                                                                                  SHA-512:A199C2FF26C3A3E1DA54D8386F568FA900B853FE3D3754100904EF3153CD72D672971FF72141D9AE5F5BC467D59E2DDC69856C761BBA9DA4488FC69F52A9E5E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................_.........B....Y......O.....^......H.....X......].....Rich....................PE..L....N.\...........!.........t...............@............................................@.........................p<..|...<1..........................P...........P................................C..@............................................text....,.......................... ..`.data...@2...@.......2..............@....rsrc................H..............@..@.reloc...*.......,...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):249168
                                                                                                  Entropy (8bit):6.2058943183487445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:E/vPLr8AhQh4jhNgZzSNPSVlX4T1FrKT7EjUOkdny+ywlJZcWzV8TMXU7o91y4Rd:i3LIl4XgsSVloTnPYdn7lJZRZ8QXqsJ/
                                                                                                  MD5:EB8DA0234C4D7C7A58B8FB820AFB4BD2
                                                                                                  SHA1:1DED1192371D0B0BF17F5AC908A96A1499C1CABD
                                                                                                  SHA-256:88F7BDCB33CDC34B5E8834634A36E2B6A45015016C47EFE4B846A4D202326093
                                                                                                  SHA-512:789725D38C041CDC311065E7987CC7E79F9A6C00E2F3ABD37096A04F81258636AB0DA6B99F895CC80DA9F770DB0C594EB8467CCA1B77854E091F8FA18F19200D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.V.z`8.z`8.z`8.s...{`8.s...u`8.z`9..`8.s...s`8.s...O`8.s....`8.s...{`8.s...Y`8.s...{`8.s...{`8.Richz`8.........PE..d....N.\.........." .....H..........................................................]@....@..........................................U..}....J...................)......P.......`...@................................................................................text...-F.......H.................. ..`.data....O...`...*...L..............@....pdata...).......*...v..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):237008
                                                                                                  Entropy (8bit):6.30179636306813
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:B+2HsTNg3ex5PUwoEK2dvK7PnGxOkf9V3QhjTvI9Nle9owmPDXpUIJonb:BDHsT2qvoEKMAGxOkVJQhjTAEgY
                                                                                                  MD5:7DD3CA728E061F9C438209935DF41FD8
                                                                                                  SHA1:D291C17619FB2E9B8A4CF07B53A56DC60CFB4C8E
                                                                                                  SHA-256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
                                                                                                  SHA-512:E7D0AB0EB37F6B245B1EBDE46C2D9184AB801EB659E4F4ED7C2AFD07843A1646612290AD3C315EE9BF7FC1A9425B58E2A03810014DDBB621EB46B331AA2E753E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w..w..w...&..w...&..:w...&-.w..c.9.w..w...w..%..w..%..w..%).w..we.w..%,.w..Rich.w..................PE..d...+..Z.........." ................|N..............................................;.....`.........................................`;..Y....;..................0!..............T...@...8...............................p............................................text...[........................... ..`.rdata..............................@..@.data....?...P.......8..............@....pdata..0!......."...T..............@..@.rsrc................v..............@..@.reloc..T............~..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):168784
                                                                                                  Entropy (8bit):6.240155377344884
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:l0fRIF+SwIL9Bagg2mCEPToX/ITpu0uOpDSgb2WXa+qM5F:CfaCIJbglCe1Vu0uIDSlOF
                                                                                                  MD5:77C729F857CFA38CFE4FCB18EE8F6BAD
                                                                                                  SHA1:938F96F880E824D03F1174C3D1CD56922452E5CC
                                                                                                  SHA-256:C1C016F2917B395A16936C692C35B8E6CC4C0196C26BC69AA8A686747BA690AD
                                                                                                  SHA-512:F921A945EFAD2DF95BAB6574029D6E4502A1C2D52E44550547CE2C812E8D06E8120F9EAB07F728E97F17C4949CC112F20E59938906E0F26988E4F79903BCF658
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#U..pU..pU..p\..p^..pU..p8..p\..pT..p\..p\..p\..pe..p\..p"..p\..pT..p\..pA..p\..pT..p\..pT..pRichU..p........................PE..d....N.\.........." .....*...j......................................................w.....@.........................................`8..{.......x....................v..P...........p................................................................................text....(.......*.................. ..`.data....?...@......................@....pdata...............L..............@..@.rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):187216
                                                                                                  Entropy (8bit):6.244838939180771
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:sSUAV0AVZrAVOVrHYapV5Ddr1oxkg9gh0CBEACcodM5nY+WVFGoK4:jvPb6OVrVNJ1ufqBEACjGK
                                                                                                  MD5:8E2C3434811B348F7AB9F7DEC6E95C3B
                                                                                                  SHA1:349682719857DB46E4A7EBFCEF0F85264B3116F3
                                                                                                  SHA-256:11F45D049C8FABF308944D77D17AB3FBB0A7BB5BFA143263B9EFBECA3A568EE3
                                                                                                  SHA-512:C271F2BBED3E740D771AF1A3BF684F4CB67C8F9B0D20E7D886817602F76BE8A432B05AB4E2AC8FDFCEEAA194602C81D8C9FFE6E015D224C6DC9C40F125365F5D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z......Z...[..Z.......Z.......Z......Z......Z.......Z......Z.......Z.......Z.Rich..Z.................PE..d....N.\.........." .....n...n....................................................... ....@.........................................0}..z....r..........................P...............................................................X............................text....m.......n.................. ..`.data....?...........r..............@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):244560
                                                                                                  Entropy (8bit):6.236867435454928
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:RuctDSdRbMOiymM/Cufn5B+1jowgreeTwcL:RqXMOFmA5VwgBE0
                                                                                                  MD5:61BD6282DB08405FD08C64BC00CEBF4B
                                                                                                  SHA1:EC4391249AE7247162C0D28B50ED73B1DCD11246
                                                                                                  SHA-256:A3BF8ED5ACCB8EBCA5C9A4430FA54A492E39160AE2BA51285D241D75F1743848
                                                                                                  SHA-512:DFEF9209C57E890F7D29280F6A296C5A9D1C3F496464C9EEA28DB0E1C407F2C5042DF926D442480359A120A93D8C44536C5A0C119C3AB6E7D15685F157E28DD6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kNgi//.://.://.:&W.: /.://.:R/.:&W.:./.:&W.:&/.:&W.:./.:&W.:W/.:&W.:./.:&W.:./.:&W.:./.:&W.:./.:Rich//.:................PE..d....N.\.........." .....>...~......`.....................................................@..........................................L..|....@.......... ........*......P............................................................................................text....=.......>.................. ..`.data....A...P... ...B..............@....pdata...*.......,...b..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):333136
                                                                                                  Entropy (8bit):6.120290709944056
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:TJNLhV1jxjcVfgFf6QlJpYw4MxuiMRZI7CPdxV4eZ+PyRPP00Io:TJ1j1aVfgFiQ/ug/G1
                                                                                                  MD5:8EFFB8A42CBC831CD360E9B1BEF65D98
                                                                                                  SHA1:BA78110DA11B7C8C6432F1A128B7D9DF384AE9FD
                                                                                                  SHA-256:ECB1BCEA47422DBFD4326669AC5B2DB463088994B12008258EFF2C546237864F
                                                                                                  SHA-512:B29D4B954619355A2797A4CA88664BC9679AD1C5EB4A2FE54BAE63399DF06405969B4E2D0098AD6A7C8E0C7A2A9E19F0DE20C5B1D401D933D89D2D71F7A32789
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f2Ji.aJi.aJi.aC..aKi.aC..aAi.aJi.a?i.aC..aCi.aC..azi.aC..a>i.aC..aKi.aC..aci.aC..aKi.aC..aKi.aRichJi.a........................PE..d....N.\.........." .....P...........N.......................................@......5C....@..........................................]..k....S..x........!.......:......P....0..........................................................P............................text...[N.......P.................. ..`.data....V...`...6...T..............@....pdata...:.......<..................@..@.rsrc....!......."..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):273232
                                                                                                  Entropy (8bit):6.8361644522698635
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:7j4c/JPjXOQTuGkfIpmWpnETJLnYlETtu/:7j4cBbEZTTJDY+0
                                                                                                  MD5:C52E66AE497C51CF73098D494EEBF8F0
                                                                                                  SHA1:8E7E38F30FAD35D8ED935B14FFA1BB5A9EABE4D0
                                                                                                  SHA-256:F6F7D5C20A078BE7ABD2402316A605F050388C6303D7F3ABC45F201D1FC5F1FD
                                                                                                  SHA-512:579E0DD63720B6D004FFBE6AE1686F43B70CEB8722DAC70FD06E5B06682C0F22282374D5394C06398252A2EA8163EA884239A8065EC5807DE1A9389A479CFC36
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}?...QH..QH..QH.d.H..QH..PH?.QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QHRich..QH................PE..d....N.\.........." .........................................................`............@.............................................|............0...........$......P....P......`................................................................................text............................... ..`.data....>..........................@....pdata...$.......&..................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):867
                                                                                                  Entropy (8bit):5.162389785193304
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:k8rGqwAcK/EyAZRVowyyAcK/E2kam0LYDeegidym0EZkBqq6JFpYpFSqq6JFrmp5:XrWWFwD7WR8mI/xOZE
                                                                                                  MD5:013784DA9890EAB3D914505857EDF2B7
                                                                                                  SHA1:92C9CA11174E98F65AD6898705176ED50EF55F95
                                                                                                  SHA-256:CDA5DEBA2BE6CFE1E111DF596AC08D45762A96B14AEC796C4E70F128C0734EAC
                                                                                                  SHA-512:9D71BEE329BDDA3B8EA064BB92813062D91079BA841AE50D6CC7D2AEAD27D49279D2857141C02BD5FA565D5C497E9E8E8163579A425F7C87550F1F0EFC194652
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):879
                                                                                                  Entropy (8bit):5.190136582088596
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:k8rGqwAcK/EyAZRVowyyAcK/E2kam0LYDfyegidym0EZkBqq6JFpYpFSqq6JFrm7:XrWWFwD7WR8fCI/xOZE
                                                                                                  MD5:0A0EE03D0C51915B2815280B476530F4
                                                                                                  SHA1:6C074D8E0D462B6E6D0CC5C02BABB88D483E3551
                                                                                                  SHA-256:C3FB7578267FA09C4446C926532FD869DD8E74CD20AF2915BBEE32DB4D647C9D
                                                                                                  SHA-512:85EC5D2898892F847618D7A10D7DD680839A3D0E55603D56C5C39568E8D7B0F63F7A10BF4B063611B9ECD395BD73B89010B421ADD481CDBEF0A50B3770A9C9F8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_mount.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214
                                                                                                  Entropy (8bit):4.631936044721133
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Hjsm6y9jcK/ES2d6y9jcKZS2bVXzLYwkrnRS2n:DWAcK/EyAcKZRVowyh
                                                                                                  MD5:88E59700F53DE95D2847B9687764BE30
                                                                                                  SHA1:CD5780DBF1C711B9C28DC001F4149BA3251BECF7
                                                                                                  SHA-256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577
                                                                                                  SHA-512:6E7D2FD4CF87B63BAB39E225362ECBE60F52FAB0DA42C97834B8EA59D653CDBD06B98E2C490C5465B1999AF2F7869F729CBFC34E55D5ECC768D85D48B9874374
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:cd %~dp0..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_unmount.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):203
                                                                                                  Entropy (8bit):5.068283784998216
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:mKDDQFGCTWYdym6F9K2MLgZ+X0KcK/F+N7oaf/DEd7/JQF9K2MLgZ+X0KcK/FvK2:hsICTJ6y9jcK/ePD0Sy9jcK/ES2uz
                                                                                                  MD5:FA3C191799254E542687F1F5D0974BC5
                                                                                                  SHA1:DC85AAC2AA31CD3DE9017E7E099581457AD4FBF2
                                                                                                  SHA-256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
                                                                                                  SHA-512:635689814E63084910541BA68FE8ADE8FDFBC3D0100AFD61DDD13D07E61F3478BA75E4D24AA7B26DF21A3E46C4ED2B1C8789520C5634CAC63CFE32DCB1E8686E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off....IF [%1] == [] GOTO RunDefault....rundll32 printui.dll,PrintUIEntry /q /dl /n %1..GOTO :EOF....:RunDefault...rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"...GOTO :EOF

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17908
                                                                                                  Entropy (8bit):6.33935778048778
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:fNDJbjaXGStblM2wk0mev6/9IDRfupdYpJIBbIgx+4lMrp2/CsECw8nYe+PjPVhc:n3dw75xa1Sw8nYPLVhtOUez
                                                                                                  MD5:2DAC6568B843EBDC5C98598CA32918BE
                                                                                                  SHA1:E7740E4BE7F71A82ADBB6E5224D33534E237614C
                                                                                                  SHA-256:EB61A0E06BF8C69597F9BB1909E3EB4F926E49800C3F9721FDA3007993DA5EE7
                                                                                                  SHA-512:1BC8AA82E68911F5EE1835D19CF49A736C1C35C2F6B4FCD48C3C6FCF7FF6958400D1E815C5E891E172AF9035232175BB00E8A21F5A0590F02DC683F45A6C3D8B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.E...*.H........E.0.E....1.0...`.H.e......0.)...+.....7....(.0.(.0...+.....7....."@..g.O........190419043016Z0...+.....7.....0.(*0....R0.7.B.D.E.B.D.2.1.F.7.7.9.4.E.8.9.E.A.B.D.7.8.5.2.7.7.0.F.9.C.3.C.7.E.4.2.5.0.6...1..Q08..+.....7...1*0(...F.i.l.e........x.d.b.o.o.k...d.l.l...0M..+.....7...1?0=0...+.....7...0...........0!0...+.............w...'p....%.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R0.9.2.2.5.D.8.6.A.4.8.9.4.8.1.5.2.D.E.3.A.F.3.4.6.4.9.1.B.8.9.3.5.7.9.2.5.3.C.A...1..G06..+.....7...1(0&...F.i.l.e........x.d.n.u.p...g.p.d...0E..+.....7...17050...+.....7.......0!0...+........."]...H.-.4d...W.S.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R1.3.F.C.5.E.A

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2793
                                                                                                  Entropy (8bit):5.507689832444162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:JQUio6uDhMM/s4244P8/CW2T8/C0kApvgJCrC1sJCr+6pqEsXncT9tuhcOYEZ53t:JQUiRKhMostT9Ap4sr4ssraXx
                                                                                                  MD5:313535621266212971E303AF0AF4FE21
                                                                                                  SHA1:D81F9D3F7B638DE5EFCA0ECB0162A76485E2C2BF
                                                                                                  SHA-256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
                                                                                                  SHA-512:8A1A716A2CAD85410F009EE0CDF570F4CA36E3A182927CA5B836F3FC0BEE466F0C4E8B583694A6A4014CE60C45A2439119BF0C1ADDA0ED168053E9F08A6DF608
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$Windows NT$"..Provider=%splashtop%..ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}..Class=Printer..DriverVer=04/19/2019,10.0.10012.16386..CatalogFile=stprinter.cat....[Manufacturer]..%splashtop%=Vendor,NTx86,NTamd64,NTx86.6.0,NTamd64.6.0....[Vendor.NTx86]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTamd64]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTx86.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[Vendor.NTamd64.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[INSTALL_XDSMPL_FILTERS_PRE_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..PrintProcessor="MS_XPS,filterpipelineprintproc.dll"..ConfigFile=UniDrvUI.dll..HelpFile=UniDrv.HLP..DataFile=XDSmpl.GPD..Include=NTPRINT.INF, MSXPSDRV.INF..Needs=UNIDRV.OEM, XPSGPD.OEM, XPSDRV.OEM....[INSTALL_XDSMPL_FILTERS_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..Confi

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2543
                                                                                                  Entropy (8bit):5.42985763446162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2uMRFNu4TMlWaDqFNQ29ZNlV2MK712DJNzaMR1X2kKJzgSZwlQXV2MK71euV2MKc:QFQ4ShC66ZLq7UAq7zq7o
                                                                                                  MD5:C228BF417378FD98E4229A2BA3054CAE
                                                                                                  SHA1:175CCDA93EF8EDBFAB2F1BE507F64690FE5BECE9
                                                                                                  SHA-256:1DFD5E0AD2765E39A614EF56603A749C095DDC00E6F50079CDDDA8E18159E73B
                                                                                                  SHA-512:6F9D65AA46B702E55D34532A37B33993AD53AB305679768F419A74B8CE2EF8C494CC877606C3C663545111F1189CE4456798D465C1A5EB4F7B6708DEB2A6B719
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..utils\DIFxCmd.exe /u stprinter.inf >> inst.log..utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows NT x86\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\3\xdbook.dll"..del /F /Q "%

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2513
                                                                                                  Entropy (8bit):5.408021383480619
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2uMRFNu4TMlWkDqFNQ4ZNlV2MK71AynXV2MK71euV2MK7153w3uV:QFQ4SDC64ZLq7xq7zq7Z
                                                                                                  MD5:DB05A3CA2E7604DC2E29A922A4545075
                                                                                                  SHA1:0430C36BD56EAC3F65E0060CE91DC60E31F822C5
                                                                                                  SHA-256:9E0BD257BFE859F462EEE9E0F1DC20768425F73C9E90B0F7F5EE450726FBB56F
                                                                                                  SHA-512:9FDD486F4F7F5D1ED3CBEF4A2246416F88643E27E76D79A433E5450D8790BA264C3219555A0CB57602BC2E3F884C1E1449EA0688D59355D68E23DBE9499F8B60
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..utils\DIFxCmd64.exe /u stprinter.inf >> inst.log..utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\x64\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\x64\3\xdbook.dll"..del /F /Q "%WINDIR%

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7680
                                                                                                  Entropy (8bit):5.202360830491015
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:6HbQ34Dthj/wKzGMdCprD4iZ7F+gUABoTndoIvJJGtVAm6XyC7tCEqqb:6Hs4thgNDZ7F+gvqdHvJJ4VR6XPnb
                                                                                                  MD5:B6CA717203EF9E8DD1205CAC5D3AF38F
                                                                                                  SHA1:818438149A92551042A5D2ABD9000DBE67D93C67
                                                                                                  SHA-256:66986A04FDEF120D7F18351648A8737979DFAA3CA82F6504B3EA14F45BEC130C
                                                                                                  SHA-512:99D21F55B7E754A2D6063BE9302874D757344893CB496F574C2DB7F124071C361894508BADF7137B17A572EF9792F7E3B3C21292250D76CD33B9863D52A300D6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8..|..|..|..u.!.}..u.7.i..u.0.~..u.'.{..|..W..u.>.~..u.%.}..Rich|..................PE..L.....8R..................................... ....@..........................`......q.....@.................................."..P....@.......................P..T.... ...............................!..@............ ...............................text...>........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216416
                                                                                                  Entropy (8bit):6.5890891928333435
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:8JzsVxRROApObap+CPSxzqNJ3pvfsFMV2+/SRVxy8iK:8EOb5x2NxqFMaP
                                                                                                  MD5:D57E38A511B607A79307F6966D5F862A
                                                                                                  SHA1:7F66DC176D9BDE0715A9050CAD9BA91785F7B192
                                                                                                  SHA-256:EF3A7B03F011CBAD96F503BF12BD151B97BAE1EACC700A7F352D175CCFDDB969
                                                                                                  SHA-512:72DF85067747090A20441F052796F5BCED00B4F8268568F14646A0C5A0CCD27DC87C9AFEEC689178F885CEDEE0636D61F238F36348F66E7D2EE940D09130C2C1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x...<..<..<..5.5.3..<.....5.3.*..5.%.B..5.4.=..5.".k..5.2.=..5.7.=..Rich<..................PE..L....N.\...........!.........v......8........................................P......R.....@.........................@...}...\...........................`A... ......@................................T..@............................................text............................... ..`.data....>..........................@....rsrc...............................@..@.reloc.../... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214992
                                                                                                  Entropy (8bit):6.578816818366091
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:1yYZVBVmekQ5ncHc43wAmaxEJg3tNqYU51pQ8DfqXF7q9B24CvJ6BAQ:1y8Vf1uTHNqYUH+8GeMvJ4t
                                                                                                  MD5:DDBCBCED9CCBA27D296B680D04178B1D
                                                                                                  SHA1:5BE1EF49678E4F9250B675DFE595DF1219DD7EF9
                                                                                                  SHA-256:B23B42E24EAB4E2F1DD94711EEC741F94D39F5EBAF238820A0B9D464522C24D2
                                                                                                  SHA-512:B913058A50A4235925F208E9FA8740DDA1A070168285401FD9C9032C0CC782887F5D92A0D68796D7473E61EE8DDC1E863503C288CAD1F99C233A0DEDE37CB314
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......mX.])9r.)9r.)9r.oh...9r.oh..<9r.oh...9r. A..&9r.)9s.G9r.$k...9r.$k..(9r.$k..(9r.)9..(9r.$k..(9r.Rich)9r.........................PE..L...-..Z...........!................(C...............................................:....@.............................Y............P...............0.......`..........8...........................8...@............................................text...p........................... ..`.rdata...e.......f..................@..@.data....4..........................@....rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):156512
                                                                                                  Entropy (8bit):6.590357914627137
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Wooboos//G/jWDiNza6LR07qZ2bzl409+E/PXwCSp6WKsAqHew+1l7nkrZg8iE:WooyFiJRmbzl4mZYYqHz+1l7ki8iE
                                                                                                  MD5:C892519FE8AE2163C1368579EEC134F3
                                                                                                  SHA1:D5C75AABEDAD20373E7CA40CAF5C986C850974BE
                                                                                                  SHA-256:B8C8B0F1DB2CEA6FAB3EEE350143BC677DA3A1E4B246325852B8A0B94A4A77D4
                                                                                                  SHA-512:7A2C0C78237E8528AD691D2F7377D33FFCCA06925359CAD0B787DF919A81EDDCB9296F1EE446BDE83CECF3520A070E72BE7956838BD1337987B422127121E093
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........7...V..V..V..._..V..V..V...Y..V...O..V...^..V...H..V...X..V...]..V.Rich.V.........................PE..L....N.\...........!.........`.......q.......................................p......(.....@.............................{.......x....0..............."..`A...@......................................P>..@............................................text...;........................... ..`.data...@2..........................@....rsrc........0......................@..@.reloc..D$...@...&..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):169312
                                                                                                  Entropy (8bit):6.584431984131001
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:XizpEi8PNuoyZLy39r4BRyFr8Tjqe1LP+0hORTj8i0K:XUpX8FYFyB8T2oyREtK
                                                                                                  MD5:4FFADA79BA20A933429F72D3B8CF61D9
                                                                                                  SHA1:77E7346EF7E7A31A8000150B4B0E4B21CA3BF381
                                                                                                  SHA-256:0FF6DD54C4DC7368BD7BAEFFA8CBD294DB31AA318F8F0FBD9088C15B61EB8854
                                                                                                  SHA-512:839ABEBEF1A76D168043C8DDFB6B8DF958CA89C3DF602B5B538EB6398332E785C4B0359CB6DF557252BD1191BCAC5C1E1AED6942D2848B5C898BA2FC8EF8D0B7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c....j..j..j.z...j..k...j.z...j.z....j.z...j.z....j.z...j.z...j.Rich..j.................PE..L....N.\...........!.........b......%........ ......................................O.....@.............................z............`...............T..`A...p.......................................C..@............................................text............................... ..`.data....2... ......................@....rsrc........`.......&..............@..@.reloc..t&...p...(...,..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):204128
                                                                                                  Entropy (8bit):6.5795919533739005
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:9w8wZDxspqPfbuSqQCoSz6/e1+1FiATl8i9:fw3owojmVW0
                                                                                                  MD5:B4AD99DFCCB67C77F6C8E142EE5AD5BA
                                                                                                  SHA1:D10B7BE8A5C339185B8E409D4C0BE2103230BAA0
                                                                                                  SHA-256:5A280F84B70F41D90B122DBC8E8FCBDA414353CC5C87580FA30B3B51B7696207
                                                                                                  SHA-512:EEBC321D90737E161B452D6E27398D1CC1D4737DBE90F7FE5C407C1732178E30CD87228FB0C8B6C6F3B118DC7E46985D231F3059996452861BFCA1AD4A098077
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c!...O..O..O.z...O..N...O.z...O.z....O.z...O.z....O.z...O.z...O.Rich..O.........PE..L....N.\...........!.........h......Z}....................................... .......-....@.............................|............... ...............`A......4... ................................M..@............................................text...<........................... ..`.data....3..........................@....rsrc... ...........................@..@.reloc...-..........................@..B................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):254816
                                                                                                  Entropy (8bit):6.5058723884762335
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:kw+rqKMvEZF6VPvVpb1eTjLp8D3qkTmII9b9zC+l+smDP00IPWx2wUj8ii:kdrWgFEPNB+MPTHIWjP00IedH
                                                                                                  MD5:BB8D8CE6F052BE2BA3A39768528B88C6
                                                                                                  SHA1:0C2D48F22C7231C52C9FDDD35120E971ABA05EC4
                                                                                                  SHA-256:B61BA88D2BB36A0A56F00C455BBC530703415F176B5715E9D24FAB82CC935140
                                                                                                  SHA-512:EF3CED636733BCF45CE4E1D21D33F50945D6FFE2A5478A19D538A30C3071E5F78D539B0E3718EEAF404614EEE182E60AE3697E499C0D7EC769D272CD5B58CCA9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r.Cr.Cr.C{.2Cy.Cr.C..C{.4Cg.C{."C..C{.3Cs.C{.%C*.C{.5Cs.C{.0Cs.CRichr.C................PE..L....N.\...........!.........................0.......................................l....@..........................(..k.......x........!..............`A.......,.. ...............................xO..@............................................text...+........................... ..`.data....@...0...$..................@....rsrc....!......."...B..............@..@.reloc...=.......>...d..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):248160
                                                                                                  Entropy (8bit):7.1098745205591625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:AG9NqQQHPItXExQNj+mB92u+CW5D37LnuHc45X0T5/uyFNJpfUarTtvU8il:f9AP2b+mBQVJLnYlETtug5jw
                                                                                                  MD5:62945189F63210AFE22EC07C93A323C2
                                                                                                  SHA1:ADEE11D641B6BC9E9F46B95388680D291C795A33
                                                                                                  SHA-256:DD36F7448202BB06C634DD18F911B830615B61E9849900C7DCD92B1157F2C671
                                                                                                  SHA-512:B62D7E7668F2E02330690D373EFB815FBBBD12E771FDB4EA46EDA8386AB8A969DB40158132F8C15ACA65C87CDF8920D46075055BB9B73DF42FD49777DF7EB6BD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................_.........B....Y......O.....^......H.....X......].....Rich....................PE..L....N.\...........!.........t...............@............................................@.........................p<..|...<1..........................`A..........P................................C..@............................................text....,.......................... ..`.data...@2...@.......2..............@....rsrc................H..............@..@.reloc...*.......,...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):258400
                                                                                                  Entropy (8bit):6.288592681682295
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:I3LIl4XgsSVloTnPYdn7lJZRZ8QXqsJ3H+:IUlJVmgh5asJ3+
                                                                                                  MD5:372C4A2430E2BF3E0A3C0D51996ADEA5
                                                                                                  SHA1:F6F2F8D750D08BE940AE2B655804C106E9C7491D
                                                                                                  SHA-256:FE632C826ABA5F694DE6684506B72BDECBFD712E9DE2ACDDDE1F2C880EE2646B
                                                                                                  SHA-512:C017A180893D39463068DA5DF647D959603CEE7979CA420963FEF9D09309FCA0B744D7268DC2A0FC4AFCD41F912714CF14003CC9AC5FB6A033AA91962E9981C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.V.z`8.z`8.z`8.s...{`8.s...u`8.z`9..`8.s...s`8.s...O`8.s....`8.s...{`8.s...Y`8.s...{`8.s...{`8.Richz`8.........PE..d....N.\.........." .....H................................................................@..........................................U..}....J...................)......`A......`...@................................................................................text...-F.......H.................. ..`.data....O...`...*...L..............@....pdata...).......*...v..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):237008
                                                                                                  Entropy (8bit):6.30179636306813
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:B+2HsTNg3ex5PUwoEK2dvK7PnGxOkf9V3QhjTvI9Nle9owmPDXpUIJonb:BDHsT2qvoEKMAGxOkVJQhjTAEgY
                                                                                                  MD5:7DD3CA728E061F9C438209935DF41FD8
                                                                                                  SHA1:D291C17619FB2E9B8A4CF07B53A56DC60CFB4C8E
                                                                                                  SHA-256:F19F300E4623E3B57F870D8E4B150F2E70D29E6CB47750671D53667BB0804202
                                                                                                  SHA-512:E7D0AB0EB37F6B245B1EBDE46C2D9184AB801EB659E4F4ED7C2AFD07843A1646612290AD3C315EE9BF7FC1A9425B58E2A03810014DDBB621EB46B331AA2E753E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w..w..w...&..w...&..:w...&-.w..c.9.w..w...w..%..w..%..w..%).w..we.w..%,.w..Rich.w..................PE..d...+..Z.........." ................|N..............................................;.....`.........................................`;..Y....;..................0!..............T...@...8...............................p............................................text...[........................... ..`.rdata..............................@..@.data....?...P.......8..............@....pdata..0!......."...T..............@..@.rsrc................v..............@..@.reloc..T............~..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):178016
                                                                                                  Entropy (8bit):6.354805848687379
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:X0fRIF+SwIL9Bagg2mCEPToX/ITpu0uOpDSgb2WXa+qubG8iu:EfaCIJbglCe1Vu0uIDSlWtf
                                                                                                  MD5:D16039589730B0C6E6B5227C041FB1B4
                                                                                                  SHA1:F8F942DBB62CBC15F7ED0BE8750C9C564638FBF8
                                                                                                  SHA-256:ACA0DF6F5EB1DE40506943B30BBDA614F886523C093F5C9A3587C3E1161F0DF0
                                                                                                  SHA-512:35ED0D4AD06E4979970CA2AD58B81735E50AAB755605216BB059EBE698B82F6C627F5F7E29ADC9FB3BC58C7EFB4E8ACA2B323F2E2813D4EA7EE39363DE0E1D64
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#U..pU..pU..p\..p^..pU..p8..p\..pT..p\..p\..p\..pe..p\..p"..p\..pT..p\..pA..p\..pT..p\..pT..pRichU..p........................PE..d....N.\.........." .....*...j......................................................K.....@.........................................`8..{.......x....................v..`A..........p................................................................................text....(.......*.................. ..`.data....?...@......................@....pdata...............L..............@..@.rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):196448
                                                                                                  Entropy (8bit):6.349185940783631
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:lSUAV0AVZrAVOVrHYapV5Ddr1oxkg9gh0CBEACcodM5nY+WVFGoEM8ip:AvPb6OVrVNJ1ufqBEACjG/Y
                                                                                                  MD5:A88901EB863EC013B461A84DACB4C795
                                                                                                  SHA1:40303F44732A2C8DBEAF4EC13CD32FCED66D8F8A
                                                                                                  SHA-256:FF295F8914F76DFE707455FE633BFC42B805BB4D3274C2290E1E5D56A383E969
                                                                                                  SHA-512:92BD7F2CE6DB83A744972503B4352ADC210FE10C0BDC026F953A925361365E95B79A4A1CEF3677266AE7178FAC24AA64A353115362E987F1DFD84BA38A6F9B25
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........4...Z...Z...Z......Z...[..Z.......Z.......Z......Z......Z.......Z......Z.......Z.......Z.Rich..Z.................PE..d....N.\.........." .....n...n...........................................................@.........................................0}..z....r..........................`A..............................................................X............................text....m.......n.................. ..`.data....?...........r..............@....pdata........... ..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):253792
                                                                                                  Entropy (8bit):6.319719994714089
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:NuctDSdRbMOiymM/Cufn5B+1jowgreeTwcV1:NqXMOFmA5VwgBEg1
                                                                                                  MD5:668A98269B12A2C17E39137AC8D7B716
                                                                                                  SHA1:E438E9031338158FE70B9D7821200DC4929380CA
                                                                                                  SHA-256:200D323E0842ABC93E22F6D475928AB0DAC6AA9F3824CF8E729E8049852AC54A
                                                                                                  SHA-512:E2E425489A084022AE23AF65D4869B24A247E3159DA5ED4E31B0CDB11C0BE30AF9EEA12ECF68F9C8269B60ECC1BB489F3EFDE00F4F8885AA2631EFAB3E54BCBC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kNgi//.://.://.:&W.: /.://.:R/.:&W.:./.:&W.:&/.:&W.:./.:&W.:W/.:&W.:./.:&W.:./.:&W.:./.:&W.:./.:Rich//.:................PE..d....N.\.........." .....>...~......`................................................8....@..........................................L..|....@.......... ........*......`A...........................................................................................text....=.......>.................. ..`.data....A...P... ...B..............@....pdata...*.......,...b..............@..@.rsrc... ...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):342368
                                                                                                  Entropy (8bit):6.187004427741537
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:T7NLhV1jxjcVfgFf6QlJpYw4MxuiMRZI7CPdxV4eZ+PyRPP00I7Q:T71j1aVfgFiQ/ug/GMQ
                                                                                                  MD5:96BDC666BCD7D432D6C7D4170C8E6046
                                                                                                  SHA1:1B705A191731ECA3369435D9906C8275C5D326C2
                                                                                                  SHA-256:DC4C32919B533A79D9EA76BDE59975DD149AA9C7B7278B076019C080A3A97C56
                                                                                                  SHA-512:DDD9E42633F98A7E5F6F7E3E4571815F9D80EA16084B23A82DBE22E929FD6F0BD791EB3DFA7BB229D73D101C66077C99FE47A5CEAB1DF6917A6E4DF209853162
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........f2Ji.aJi.aJi.aC..aKi.aC..aAi.aJi.a?i.aC..aCi.aC..azi.aC..a>i.aC..aKi.aC..aci.aC..aKi.aC..aKi.aRichJi.a........................PE..d....N.\.........." .....P...........N.......................................@......~d....@..........................................]..k....S..x........!.......:......`A...0..........................................................P............................text...[N.......P.................. ..`.data....V...`...6...T..............@....pdata...:.......<..................@..@.rsrc....!......."..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):282464
                                                                                                  Entropy (8bit):6.880530047125276
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:tj4c/JPjXOQTuGkfIpmWpnETJLnYlETtuwv:tj4cBbEZTTJDY+jv
                                                                                                  MD5:F26D954E0F23049CAA4F698934DB5371
                                                                                                  SHA1:B0FC39DFF9871778A767B95F0D1CD6E56F939071
                                                                                                  SHA-256:186500D4E31ADF5FA2DC02F112EDE6FCA86C1BC48731EA224CFE83C160ABD1CD
                                                                                                  SHA-512:BF79667EC9E85FCC6214BB8B3352DCF4B43A042708F471C293B507574A446D938C4E5981C6E9FA4E81AF98A91B6A72CB678F06B91E064F3FCA48744DC0DFF94F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}?...QH..QH..QH.d.H..QH..PH?.QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QH.d.H..QHRich..QH................PE..d....N.\.........." .........................................................`...........@.............................................|............0...........$......`A...P......`................................................................................text............................... ..`.data....>..........................@....pdata...$.......&..................@..@.rsrc........0......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):870
                                                                                                  Entropy (8bit):5.164710229415834
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kcrGqwAcK/EyAZRVowyyAcK/E2kam0LYDeegidym0EZkBqq6JFpYpFSqq6JFrmp5:BrWWFwD7WR8mI/xOZE
                                                                                                  MD5:50B0957220D10275274CAC025EAA6883
                                                                                                  SHA1:8F677ED1CD73A05F634AA06AD6BED1DA4C6BD80F
                                                                                                  SHA-256:B76D74AEC705A3F9FD055307A966777ADB279FB06D03524C992E608FE73AEB22
                                                                                                  SHA-512:C62DAAC3AC516500D819718BF5697D948B6EB684276A21A80E6E9C26FE5F1D0593D7FE281702D3BC48D2A1897B0EB7BD910CEE0978950C0F6636FB86E72B6BD3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):882
                                                                                                  Entropy (8bit):5.192332970304343
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:kcrGqwAcK/EyAZRVowyyAcK/E2kam0LYDfyegidym0EZkBqq6JFpYpFSqq6JFrm7:BrWWFwD7WR8fCI/xOZE
                                                                                                  MD5:16BBC22B18C5325649C98DD02F3DDDBF
                                                                                                  SHA1:B6F97171D20CBC84DEDB07C304F92B25B5A08450
                                                                                                  SHA-256:8C3BED319076C7B27FB5D9CD7DCE31E8EE09624E191BC3D709962426FB12951A
                                                                                                  SHA-512:293E8BF93A22021FD80AA95A30965287BF40F5030DA457BC16D004E86C3B3FF8983DA8C0D743A42F1CBF935A2EB8E1CB5FCB488914B51330686B2C60BD1C71B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....\utils\PrnPort.exe /a >> inst.log..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. reg add "HKLM\SOFTWARE\Wow6432Node\Splashtop Inc.\Splashtop Remote Server" /f /v "PrinterINFa" /t REG_SZ /d "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log.. IF NOT EXIST "%ProgramData%\Splashtop" mkdir "%ProgramData%\Splashtop".. IF NOT EXIST "%ProgramData%\Splashtop\Temp" mkdir "%ProgramData%\Splashtop\Temp".. ECHO Found "%WINDIR%\System32\DriverStore\FileRepository\%%a\stprinter.inf" >> inst.log..)..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_mount.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214
                                                                                                  Entropy (8bit):4.631936044721133
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Hjsm6y9jcK/ES2d6y9jcKZS2bVXzLYwkrnRS2n:DWAcK/EyAcKZRVowyh
                                                                                                  MD5:88E59700F53DE95D2847B9687764BE30
                                                                                                  SHA1:CD5780DBF1C711B9C28DC001F4149BA3251BECF7
                                                                                                  SHA-256:B085F4E0D6A7A4DC967C96D7C318CB749BC497135FD9E35D7AD0C88E6C53F577
                                                                                                  SHA-512:6E7D2FD4CF87B63BAB39E225362ECBE60F52FAB0DA42C97834B8EA59D653CDBD06B98E2C490C5465B1999AF2F7869F729CBFC34E55D5ECC768D85D48B9874374
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:cd %~dp0..rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"..rundll32 printui.dll,PrintUIEntry /q /if /b "Splashtop Remote Printer" /f stprinter.inf /r "StPrinter" /m "Splashtop Remote Printer"

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_unmount.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):203
                                                                                                  Entropy (8bit):5.068283784998216
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:mKDDQFGCTWYdym6F9K2MLgZ+X0KcK/F+N7oaf/DEd7/JQF9K2MLgZ+X0KcK/FvK2:hsICTJ6y9jcK/ePD0Sy9jcK/ES2uz
                                                                                                  MD5:FA3C191799254E542687F1F5D0974BC5
                                                                                                  SHA1:DC85AAC2AA31CD3DE9017E7E099581457AD4FBF2
                                                                                                  SHA-256:347B12E6E2FC79E2A3668625341D7642D531159FFE5B01AB2BC5469E0EFC6B3F
                                                                                                  SHA-512:635689814E63084910541BA68FE8ADE8FDFBC3D0100AFD61DDD13D07E61F3478BA75E4D24AA7B26DF21A3E46C4ED2B1C8789520C5634CAC63CFE32DCB1E8686E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@echo off....IF [%1] == [] GOTO RunDefault....rundll32 printui.dll,PrintUIEntry /q /dl /n %1..GOTO :EOF....:RunDefault...rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"...GOTO :EOF

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\stprinter.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19851
                                                                                                  Entropy (8bit):6.774813122930257
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:UelM68cpgw3otOCxH50u4RkeelMpSfpd/CJHJ2elMSJfApwtNJKGT1hvJNMvIqvQ:EWtO5smIwg9Zh3q8pUclGNbc
                                                                                                  MD5:1D56A3F8D7F5DAB184A8CC4FEDDAA173
                                                                                                  SHA1:75D291CB96FDC05D54C962F1CB08796EE439B22F
                                                                                                  SHA-256:84E1A32B4975E92477CF6A36D8931921DA735EF988E0C09A2B056F2904541B1E
                                                                                                  SHA-512:FB58167A98D9309A703F06D5C6414AB707B37E90A26BFC1C0812B10381C116FA6C7C26AC30FC8570B8F87186775BC64E7AF6D409A7D213FC3B4B76B0B7A76FB6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.M...*.H........Mx0.Mt...1.0...`.H.e......0.)...+.....7....).0.).0...+.....7.......m...G..|.O.p...190419044412Z0...+.....7.....0.(.0.... ....z.sXce...j.....Z.j.R...Z.#/.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........x.d.s.m.p.l.u.i...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ....z.sXce...j.....Z.j.R...Z.#/.0.........w...'p....%.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...08..+.....7...1*0(...F.i.l.e........x.d.b.o.o.k...d.l.l...0.... ...v...f..t..t........n.....d.*1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........x.d.w.s.c.r.g.b...i.c.c...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... ...v...f..t..t........n.....d.*0.... ..T...x....0.DU._........z.^...1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........x.d.p.g.s.c.l...g.p.d...0U..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\stprinter.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2793
                                                                                                  Entropy (8bit):5.507689832444162
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:JQUio6uDhMM/s4244P8/CW2T8/C0kApvgJCrC1sJCr+6pqEsXncT9tuhcOYEZ53t:JQUiRKhMostT9Ap4sr4ssraXx
                                                                                                  MD5:313535621266212971E303AF0AF4FE21
                                                                                                  SHA1:D81F9D3F7B638DE5EFCA0ECB0162A76485E2C2BF
                                                                                                  SHA-256:0B60A283CB98034CEE13118BF1F885A644479CC6F4B19D9E4D24A5FEC6064A1F
                                                                                                  SHA-512:8A1A716A2CAD85410F009EE0CDF570F4CA36E3A182927CA5B836F3FC0BEE466F0C4E8B583694A6A4014CE60C45A2439119BF0C1ADDA0ED168053E9F08A6DF608
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$Windows NT$"..Provider=%splashtop%..ClassGUID={4D36E979-E325-11CE-BFC1-08002BE10318}..Class=Printer..DriverVer=04/19/2019,10.0.10012.16386..CatalogFile=stprinter.cat....[Manufacturer]..%splashtop%=Vendor,NTx86,NTamd64,NTx86.6.0,NTamd64.6.0....[Vendor.NTx86]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTamd64]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_PRE_VISTA....[Vendor.NTx86.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[Vendor.NTamd64.6.0]..%splashtop.DeviceDesc% = INSTALL_XDSMPL_FILTERS_VISTA....[INSTALL_XDSMPL_FILTERS_PRE_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..PrintProcessor="MS_XPS,filterpipelineprintproc.dll"..ConfigFile=UniDrvUI.dll..HelpFile=UniDrv.HLP..DataFile=XDSmpl.GPD..Include=NTPRINT.INF, MSXPSDRV.INF..Needs=UNIDRV.OEM, XPSGPD.OEM, XPSDRV.OEM....[INSTALL_XDSMPL_FILTERS_VISTA]..CopyFiles=XPSDrvSample,ConfigPlugin,COLORPROFILES..DriverFile=mxdwdrv.dll..Confi

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2561
                                                                                                  Entropy (8bit):5.431790187193416
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2uMRFNu4TMlWoDqFNQ29ZNlV2MK712DJNzaMR1X2kKJzgSZwlQXV2MK71euV2MKo:QFQ4SDC66ZLq7UAq7zq7E
                                                                                                  MD5:AD8561D2E73AFD63F5A088972D435467
                                                                                                  SHA1:FA7F53A308C00B0C5E1ACE95489658840EAF13A3
                                                                                                  SHA-256:68C4AF8BB6C4FB75CFA95739DF4E3B288DBBFB141E6851275E2F9EFFCA893015
                                                                                                  SHA-512:AA240EFD0EFD508CE48D444997E65DE8A36DE321764196C294F1366A77C3D30AEA6BF31AF53C7644BD3D027284B266D06D0B574E69598D50D44005718F3F2178
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....\utils\DIFxCmd.exe /u stprinter.inf >> inst.log....\utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows NT x86\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\w32x86\3\xdbook.dll"..del /F

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2519
                                                                                                  Entropy (8bit):5.407961236238507
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:2uMRFNu4TMlWSDqFNQ4ZNlV2MK71AynXV2MK71euV2MK7153w3uV:QFQ4SJC64ZLq7xq7zq7Z
                                                                                                  MD5:5FD0095B7389DBEDA4EC394C06AC4657
                                                                                                  SHA1:7C5D1C3E2B062F6E993AB34292749B03FD7007A8
                                                                                                  SHA-256:692FE4C899554BBFA0A05A0183F46C23A24E48FB4371DC0863B7A24452FE5252
                                                                                                  SHA-512:F38926653AF960FE11AD843E7C89BB9DC62C29225D2DF10B0CA9BA4F668637BE053778EE726F42A2DC76FA801593A08A69DE4CDEFCB9BE037CA094D34773A8D6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..ECHO -- uninstall start >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found Backup [%%a] >> inst.log.. SET STPRINTERREGBAK=%STPRINTERREGBAK% %%a..)....rundll32 printui.dll,PrintUIEntry /q /dl /n "Splashtop Remote Printer"....\utils\DIFxCmd64.exe /u stprinter.inf >> inst.log....\utils\PrnPort.exe /d >> inst.log....for /f "tokens=*" %%a in ( 'DIR "%WINDIR%\System32\DriverStore\FileRepository\stprint*" /B /ON /AD' ) do (.. ECHO Found [%%a] >> inst.log.. ::Remove cab.. del /F /Q "%WINDIR%\System32\spool\drivers\x64\PCC\%%a.cab" >> inst.log.. ::Remove inf.. del /S /F /Q "%WINDIR%\System32\DriverStore\FileRepository\%%a" >> inst.log.. ::Remove reg.. reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\PackageInstallation\Windows x64\DriverPackages\%%a" /f >> inst.log..)....::Remove all files..del /F /Q "%WINDIR%\System32\spool\drivers\x64\3\xdbook.dll"..del /F /Q "%W

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdCMYKPrinter.icc

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Microsoft color profile 2.2, type lino, CMYK/Lab-prtr device by MSFT, 849080 bytes, 10-5-2006 15:02:14 "Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile f"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):849080
                                                                                                  Entropy (8bit):6.924819797081704
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:nupHTMj2vkdYa+kYfwx+rbgal21W0M5SU1yr2U5fOFQw8LHxrLiYJVarTH46xL1F:upgavkz+UIUBRm020G7
                                                                                                  MD5:8EE08E7B69A5F2ECA6BB3A5EEDB48649
                                                                                                  SHA1:FF7CFA21BDCB220EC0450E76A1C2AB0854CAEBD6
                                                                                                  SHA-256:2B215C1FA5CAA10582BDAFE6B51A911C9D8B2B0B456EEEFF955064FDC3844D98
                                                                                                  SHA-512:12AEA33F800D5203811DE1FFA1181BD1B8A58C54BD52A9D2BF7A4084CC2BBC52C9E74E9434C41C6B1EB2CA451E81D5E11B3CE6B827BA4B0F14927EB4FAD62FF0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:....lino. ..prtrCMYKLab ............acspMSFT...................................-MSFT................................................desc........cprt.......1wtpt...,....A2B0...@....B2A0........A2B1...@....A2B2...@....B2A1........B2A2........gamt..^.....MS00...P..gfdesc........Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos...enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .C.M.Y.K.P.r.i.n.t.e.r...c.d.m.p.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......c........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdbook.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1808
                                                                                                  Entropy (8bit):4.525972600570173
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9QltHlRIORmRCjR73RpRvrmRCgORmRCjR73RpRS:sDuH87FRDRmRCjRrRpRvrmRCbRmRCjRI
                                                                                                  MD5:9303837EFF41196B0FC3D6AD46FE43AF
                                                                                                  SHA1:9AFBCA730F3A98C5C43AC1AF156BCD6C3CE366E5
                                                                                                  SHA-256:ABD2E8A90B9949D61DF21DF88AED7040542555A0228BB0B375439F8488A06294
                                                                                                  SHA-512:9F8C9956CEB14B7A275B346A48A1C010DEB23D94BAB4E0FFD395D23B5573533EB80630092CA6A458D33762E55C260752CA294B5E0632179ECC18F17A0B961D55
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdbook.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Booklet specific GPD settings...*%....*%******************************************************************************..*% JobBindAllDocuments..*%******************************************************************************..*Feature: JobBindAllDocuments..{.. *rcNameID: =IDS_GPD_JOBBINDING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: BindLeft.. {.. *rcNameID: =IDS_GPD_LTOR.. }.... *Option: BindRight.. {.. *rcNameID: =IDS_GPD_RTOL.. }.... *Option:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdcolman.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2718
                                                                                                  Entropy (8bit):4.658165462032682
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9xmSx8iZR/+eRxSRURJPRo/8nRFGR7RrXh8TpR9KbzkR5BMLkRWkc4:sDuHN/DRFRkRURJPRo/ARYR7Rrx+R98+
                                                                                                  MD5:3F80884F3D1F3B9D5D3C7279131ECB4D
                                                                                                  SHA1:17AB016E8AFA453B5A7DA19A6F2AB6AE0B3D78F4
                                                                                                  SHA-256:4D09EE22E6A9BFB33E13F5391830FFDA13A572DC6DA1E22D1DEE3D4CAD7BBBD9
                                                                                                  SHA-512:363579BDE28329209801FFA7EE0A3A5DD4278886453221768D2F3D7A1ECFE348884004FA08F9B6006E35A6098B72F1738B7B425C9AC8F5F2ACBDC5FD26EEA50A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdcolman.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Color Management specific GPD settings...*%....*%******************************************************************************..*% PageColorManagement..*%******************************************************************************..*Feature: PageColorManagement..{.. *rcNameID: =IDS_GPD_PAGECOLMAN.. *DefaultOption: None.. *PrintSchemaKeywordMap: "PageColorManagement".... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. *PrintSchemaKeywordMap: "None".. }.... *Option: Device.. {.. *rcNameID: =IDS_GPD_D

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnames.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6871
                                                                                                  Entropy (8bit):4.6709110049190015
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:sDuHL5cq9ORGELoQ+4JH3U/y5EDeP8N4f6TfSqXYY0s9DOS:3HL5G0Ex+AX0yAePzO0S
                                                                                                  MD5:9196C9FAF999C94DA04F4679E823D753
                                                                                                  SHA1:BF4445CFF27EC04248BB645C74AAAF6B1EE95B6D
                                                                                                  SHA-256:411DFDB99C624831D1E755AD5D861ECE1C2EFCEF23A6C7F89F6C2BA251BBED0A
                                                                                                  SHA-512:94A3C1F51B03A91220F9AEF9D8BDDAB6DAD74BE971D5D16B5B308DC5403DE1AFCB3A8D40E0F48CEC1834DE596192BED99C78B03B2538A9594B99347B589650B1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnames.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver GPD resource names...*%....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }.. *Option: xdsmplui.. {.. *Name: "xdsmplui.dll".. }..}....*Macros: StdFeatureNames..{.. IDS_GPD_1PPS: RESDLL.xdsmplui.2000.. IDS_GPD_2PPS: RESDLL.xdsmplui.2001.. IDS_GPD_4PPS: RESDLL.xdsmplui.2002.. IDS_GPD_6PPS: RESDLL.xdsmplui.2003.. IDS_GPD_8PPS:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnup.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4068
                                                                                                  Entropy (8bit):4.508459493570281
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:sDuHqDYRxRGRDRPRbRERfRSdg9Re9RxjR4RURFRjjRkRSRA1sogRyRGRDRPRbREN:3HqZtgst0P
                                                                                                  MD5:CFFD55A27BDF496CABE9C41E80A42A72
                                                                                                  SHA1:09225D86A48948152DE3AF346491B893579253CA
                                                                                                  SHA-256:D0B69D3877190BFAFCADB90D9D4F6C81DA15CD5E3CBE45BAB4E60BC812FF32C0
                                                                                                  SHA-512:D1F0A7C72657897B2394D8C166D4E079CAB6CC3BE35621A8B014F541A1A73245DDD0865C4AE810E1784AC973AEA0419F7DFC42DA42A5B81284B539DC0A24EB29
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnup.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver NUp specific GPD settings...*%....*%******************************************************************************..*% JobNUpAllDocumentsContiguously..*%******************************************************************************..*Feature: JobNUpAllDocumentsContiguously..{.. *rcNameID: =IDS_GPD_JOBNUP.. *DefaultOption: 1.. *PrintSchemaKeywordMap: "JobNUpAllDocumentsContiguously".... *Option: 1.. {.. *rcNameID: =IDS_GPD_1PPS.. }.... *Option: 2.. {.. *rcNameID: =IDS_GPD_2PPS.. }.... *Option: 4.. {..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdpgscl.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2522
                                                                                                  Entropy (8bit):4.708364933060842
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9Ydp88+qRIOR3NRXRAR6R5eR7RZboRaYipRazRapjRafRa6RamRaRA:sDuHco4RDR3NRXRAR6R5eR7RZboRaYuY
                                                                                                  MD5:F492FC30EFAE3C1548C17D4419E37778
                                                                                                  SHA1:887F31639800999D7225AF1EE3F26B601D726401
                                                                                                  SHA-256:08FF54CC8DC7E978B8129017307F4455025FC37F891A9EE6CAD37ADA5EB0CEC7
                                                                                                  SHA-512:0F354DBC8B430B168EBAA1BBBAE48DFC6DD285912C1324673BD04AFBDD2947CC3BA8448B440337655377A43A40DC9592CDE26F71A635EEB12746877971C5519D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdpgscl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver page scaling specific GPD settings...*%....*%******************************************************************************..*% PageScaling..*%******************************************************************************..*Feature: PageScaling..{.. *rcNameID: =IDS_GPD_PAGESCALING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Custom.. {.. *rcNameID: =IDS_GPD_CUSTOM.. }.... *Option: CustomSquare.. {.. *rcNameID: =IDS_GPD_CUSTSQUARE.. }.... *Option:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl-PipelineConfig.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2476
                                                                                                  Entropy (8bit):5.158189280019379
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qDG8kHYKsJyhBk//ojAd+6IG0c9RLN0KUvfaZhcLNhpMubDUHeLNq63PfaZhcLNM:qDhkHtsI4aV46+ZhOb2tZhzZh7jZh/v
                                                                                                  MD5:B628B4F8CC199D26E18FE27BD4A29BBD
                                                                                                  SHA1:CBB6FB510D708AE85CC0F715617BCD788A613727
                                                                                                  SHA-256:12DCC665FDEFEE3D3D771F5727F86FB812C606FCE0E7A3DA943A2072295D2984
                                                                                                  SHA-512:825E8583B140C3CA5C44669AAAEF7654A90977F15FD0959FC17DEE30E18C3275EDFE2366A5C90CE707AF28951A56194CBA0CBEE6967CD95FA9CA8CFD6EF189F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ....Copyright (c) 2005 Microsoft Corporation....All rights reserved.....THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..PARTICULAR PURPOSE.....File Name:.... xdsmpl-pipelineconfig.xml....Abstract:.... XPSDrv sample driver filter configuration file. This identifies the.. filters that comprise the filter pipeline and their order.....-->....<Filters>.. <Filter dll = "XDWMark.dll".. clsid = "{B8B525BF-F147-460a-B2D5-9DFB1F30D0FD}".. name = "Watermark filter">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" comment="IID_IXpsDocumentProvider"/>.. <Output guid = "{4368d8a2-4181-4a9f-b295-3d9a38bb9ba0}" comment="IID_IXpsDocumentConsumer"/>.. </Filter>.. <Filter dll = "XDScale.dll".. clsid = "{976EDCE4-274E-482a-97

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11986
                                                                                                  Entropy (8bit):4.7262628705263445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3HDc4F4V4U4k4v4g4L4wfyPUc5Bn+vjdQjNuDVjFfJCk72sI/72sIPTZGjo2D:KyPUc5Bn+bdsN4jFfJR25T25wZ
                                                                                                  MD5:E1F2A2FD0D41438A375F0DDC1822AA7C
                                                                                                  SHA1:267F8BFFABCCA4D46556519C105C0C6055B6F6D0
                                                                                                  SHA-256:606E0918952F5441D31F5335F09FD6AACAE0A5850A0174280FF34F6772A0B768
                                                                                                  SHA-512:1CF4B1E989819ECB134DCBD9C842F69D97A4949ED319D712BF14729C8A0BE0FF22122E3FADC4F4B2A86916F5EBF717E5CCE6E7620DD90EA73551CB523703EC0C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdsmpl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver main GPD file...*%....*GPDFileVersion: "1.2"..*GPDSpecVersion: "1.2"..*GPDFileName: "XDSmpl.gpd"..*Include: "msxpsinc.gpd"..*Include: "StdNames.gpd"..*Include: "xdnames.gpd"..*Include: "xdwmark.gpd"..*Include: "xdbook.gpd"..*Include: "xdcolman.gpd"..*Include: "xdnup.gpd"..*Include: "xdpgscl.gpd"..*ModelName: "XPSDrv Sample Driver"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 1....*%*********************************************************************

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.ini

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):475
                                                                                                  Entropy (8bit):5.248799523355892
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:fp+BF8aNytrHLCSKsSHUJhGbkxIESnPEcF4RqWo40nUv:fp+D8MkHLNKsSyh2kBoP3FsqA02
                                                                                                  MD5:2EFCEBC23D661F3BFA0A4A4BE0588466
                                                                                                  SHA1:1ED92AEC943CFE143A7DBBCE2A82141D67FB9169
                                                                                                  SHA-256:DC50AFD088B0D72935D0CDF8F99071A7C80A4979BC9AF915016DD847F222EBE9
                                                                                                  SHA-512:FC1FF31E2CBFA1BC8A825548C6C4661236FAF12D8B75F25010E783DE116FC48B61F0188A4673C2C60A52181F6E7F0EFE39BF9B0A7D35B1937EC02B97FCCB7955
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:;..; Copyright (c) 2005 Microsoft Corporation..;..; All rights reserved...;..; THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..; ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..; PARTICULAR PURPOSE...;..; File Name:..;..; xdsmpl.ini..;..; Abstract:..;..; XPSDrv sample driver configuration file for UI plug-in...;....[OEMFiles]..OEMConfigFile1=xdsmplui.DLL......

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdwmark.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1554
                                                                                                  Entropy (8bit):4.555759044915239
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9Tmm8LYReOR1RwrRpRajx8LZRzQRVRC:sDuHnmmoYRVR1RwrRpRajxoZRcRVRC
                                                                                                  MD5:C922269B15071195905ACE600AC9B02C
                                                                                                  SHA1:BCC559EBBFCAC61A67905B5DBB9D3E8E27D413E5
                                                                                                  SHA-256:2FC61A7629E0382699E8178AC8131666BB1BADA65F9B7AC738E7620C1D3A4E40
                                                                                                  SHA-512:C4ACE0F94150ED02580A365798981FD30484B3E13576624620377F077AD4A6C0AA06ED3DBC1B8A64406F357321A9AD027A1A12D9C98A407D27B58CA857D74E84
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdwmark.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver watermark specific GPD settings...*%....*%******************************************************************************..*% PageWatermark..*%******************************************************************************..*Feature: PageWatermarkType..{.. *rcNameID: =IDS_GPD_WATERMARKTYPE.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Text.. {.. *rcNameID: =IDS_GPD_TEXT.. }.... *Option: Raster.. {.. *rcNameID: =IDS_GPD_RASTERIMAGE.. }.... *Option: Ve

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdwscRGB.icc

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Microsoft color profile 2.2, type lino, RGB/Lab-spac device by MSFT, 124856 bytes, 10-5-2006 12:14:35 "Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut M"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):124856
                                                                                                  Entropy (8bit):6.796177094859484
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:wq47C9ZJMKkyYHlMRyu2FK0MjUq2mX14F4Q7asMM06KI:w29bMPyASyumQwmleHf91
                                                                                                  MD5:45CC4B43673056B8625ADD43EFDF33DD
                                                                                                  SHA1:2A7E28C7696CAF775344A31A23DCDADF15A5F1BD
                                                                                                  SHA-256:089BE57682C9F866DCCE74E1D174AA9816BC0992C1CE6EC01E03958964EF852A
                                                                                                  SHA-512:08A1FEA06EED5B874BE487F0F523ADCB98262FFA7158F54A724963827ACBF6318EEE99948AEB999C6F6EF875EA04E2B2377CBE623BB4679FB90BE785C75560DC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...lino. ..spacRGB Lab ...........#acspMSFT...................................-MSFT................................................desc......."cprt.......1wtpt...$....A2B0...8...ZB2A0.......ZMS00..U.....desc........Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos.enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .s.c.R.G.B. .v.i.r.t.u.a.l. .d.e.v.i.c.e. .m.o.d.e.l. .p.r.o.f.i.l.e.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......T........mft2................................................BeBwB.B.B.B.B.B.B.C.C.C"C3CECVCgCxC.C.C.C.C.C.C.D.D.D$D5DFDWDhDzD.D.D.D.D.D.D.E.E.E%E6EHEYEjE{E.E.E.E.E.E.E.F.F.F'F8FIFZFlF}

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdCMYKPrinter.icc

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Microsoft color profile 2.2, type lino, CMYK/Lab-prtr device by MSFT, 849080 bytes, 10-5-2006 15:02:14 "Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile f"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):849080
                                                                                                  Entropy (8bit):6.924819797081704
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:nupHTMj2vkdYa+kYfwx+rbgal21W0M5SU1yr2U5fOFQw8LHxrLiYJVarTH46xL1F:upgavkz+UIUBRm020G7
                                                                                                  MD5:8EE08E7B69A5F2ECA6BB3A5EEDB48649
                                                                                                  SHA1:FF7CFA21BDCB220EC0450E76A1C2AB0854CAEBD6
                                                                                                  SHA-256:2B215C1FA5CAA10582BDAFE6B51A911C9D8B2B0B456EEEFF955064FDC3844D98
                                                                                                  SHA-512:12AEA33F800D5203811DE1FFA1181BD1B8A58C54BD52A9D2BF7A4084CC2BBC52C9E74E9434C41C6B1EB2CA451E81D5E11B3CE6B827BA4B0F14927EB4FAD62FF0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:....lino. ..prtrCMYKLab ............acspMSFT...................................-MSFT................................................desc........cprt.......1wtpt...,....A2B0...@....B2A0........A2B1...@....A2B2...@....B2A1........B2A2........gamt..^.....MS00...P..gfdesc........Created by Microsoft WCS from DMP: CMYKPrinter.cdmp, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos...enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .C.M.Y.K.P.r.i.n.t.e.r...c.d.m.p.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......c........mft2................................................................................................................ !!""##$$%%&&''(())**++,,--..//00112233445566778899

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdbook.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1808
                                                                                                  Entropy (8bit):4.525972600570173
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9QltHlRIORmRCjR73RpRvrmRCgORmRCjR73RpRS:sDuH87FRDRmRCjRrRpRvrmRCbRmRCjRI
                                                                                                  MD5:9303837EFF41196B0FC3D6AD46FE43AF
                                                                                                  SHA1:9AFBCA730F3A98C5C43AC1AF156BCD6C3CE366E5
                                                                                                  SHA-256:ABD2E8A90B9949D61DF21DF88AED7040542555A0228BB0B375439F8488A06294
                                                                                                  SHA-512:9F8C9956CEB14B7A275B346A48A1C010DEB23D94BAB4E0FFD395D23B5573533EB80630092CA6A458D33762E55C260752CA294B5E0632179ECC18F17A0B961D55
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdbook.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Booklet specific GPD settings...*%....*%******************************************************************************..*% JobBindAllDocuments..*%******************************************************************************..*Feature: JobBindAllDocuments..{.. *rcNameID: =IDS_GPD_JOBBINDING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: BindLeft.. {.. *rcNameID: =IDS_GPD_LTOR.. }.... *Option: BindRight.. {.. *rcNameID: =IDS_GPD_RTOL.. }.... *Option:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdcolman.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2718
                                                                                                  Entropy (8bit):4.658165462032682
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9xmSx8iZR/+eRxSRURJPRo/8nRFGR7RrXh8TpR9KbzkR5BMLkRWkc4:sDuHN/DRFRkRURJPRo/ARYR7Rrx+R98+
                                                                                                  MD5:3F80884F3D1F3B9D5D3C7279131ECB4D
                                                                                                  SHA1:17AB016E8AFA453B5A7DA19A6F2AB6AE0B3D78F4
                                                                                                  SHA-256:4D09EE22E6A9BFB33E13F5391830FFDA13A572DC6DA1E22D1DEE3D4CAD7BBBD9
                                                                                                  SHA-512:363579BDE28329209801FFA7EE0A3A5DD4278886453221768D2F3D7A1ECFE348884004FA08F9B6006E35A6098B72F1738B7B425C9AC8F5F2ACBDC5FD26EEA50A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdcolman.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver Color Management specific GPD settings...*%....*%******************************************************************************..*% PageColorManagement..*%******************************************************************************..*Feature: PageColorManagement..{.. *rcNameID: =IDS_GPD_PAGECOLMAN.. *DefaultOption: None.. *PrintSchemaKeywordMap: "PageColorManagement".... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. *PrintSchemaKeywordMap: "None".. }.... *Option: Device.. {.. *rcNameID: =IDS_GPD_D

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnames.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6871
                                                                                                  Entropy (8bit):4.6709110049190015
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:sDuHL5cq9ORGELoQ+4JH3U/y5EDeP8N4f6TfSqXYY0s9DOS:3HL5G0Ex+AX0yAePzO0S
                                                                                                  MD5:9196C9FAF999C94DA04F4679E823D753
                                                                                                  SHA1:BF4445CFF27EC04248BB645C74AAAF6B1EE95B6D
                                                                                                  SHA-256:411DFDB99C624831D1E755AD5D861ECE1C2EFCEF23A6C7F89F6C2BA251BBED0A
                                                                                                  SHA-512:94A3C1F51B03A91220F9AEF9D8BDDAB6DAD74BE971D5D16B5B308DC5403DE1AFCB3A8D40E0F48CEC1834DE596192BED99C78B03B2538A9594B99347B589650B1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnames.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver GPD resource names...*%....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }.. *Option: xdsmplui.. {.. *Name: "xdsmplui.dll".. }..}....*Macros: StdFeatureNames..{.. IDS_GPD_1PPS: RESDLL.xdsmplui.2000.. IDS_GPD_2PPS: RESDLL.xdsmplui.2001.. IDS_GPD_4PPS: RESDLL.xdsmplui.2002.. IDS_GPD_6PPS: RESDLL.xdsmplui.2003.. IDS_GPD_8PPS:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnup.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4068
                                                                                                  Entropy (8bit):4.508459493570281
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:sDuHqDYRxRGRDRPRbRERfRSdg9Re9RxjR4RURFRjjRkRSRA1sogRyRGRDRPRbREN:3HqZtgst0P
                                                                                                  MD5:CFFD55A27BDF496CABE9C41E80A42A72
                                                                                                  SHA1:09225D86A48948152DE3AF346491B893579253CA
                                                                                                  SHA-256:D0B69D3877190BFAFCADB90D9D4F6C81DA15CD5E3CBE45BAB4E60BC812FF32C0
                                                                                                  SHA-512:D1F0A7C72657897B2394D8C166D4E079CAB6CC3BE35621A8B014F541A1A73245DDD0865C4AE810E1784AC973AEA0419F7DFC42DA42A5B81284B539DC0A24EB29
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdnup.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver NUp specific GPD settings...*%....*%******************************************************************************..*% JobNUpAllDocumentsContiguously..*%******************************************************************************..*Feature: JobNUpAllDocumentsContiguously..{.. *rcNameID: =IDS_GPD_JOBNUP.. *DefaultOption: 1.. *PrintSchemaKeywordMap: "JobNUpAllDocumentsContiguously".... *Option: 1.. {.. *rcNameID: =IDS_GPD_1PPS.. }.... *Option: 2.. {.. *rcNameID: =IDS_GPD_2PPS.. }.... *Option: 4.. {..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdpgscl.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2522
                                                                                                  Entropy (8bit):4.708364933060842
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9Ydp88+qRIOR3NRXRAR6R5eR7RZboRaYipRazRapjRafRa6RamRaRA:sDuHco4RDR3NRXRAR6R5eR7RZboRaYuY
                                                                                                  MD5:F492FC30EFAE3C1548C17D4419E37778
                                                                                                  SHA1:887F31639800999D7225AF1EE3F26B601D726401
                                                                                                  SHA-256:08FF54CC8DC7E978B8129017307F4455025FC37F891A9EE6CAD37ADA5EB0CEC7
                                                                                                  SHA-512:0F354DBC8B430B168EBAA1BBBAE48DFC6DD285912C1324673BD04AFBDD2947CC3BA8448B440337655377A43A40DC9592CDE26F71A635EEB12746877971C5519D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdpgscl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver page scaling specific GPD settings...*%....*%******************************************************************************..*% PageScaling..*%******************************************************************************..*Feature: PageScaling..{.. *rcNameID: =IDS_GPD_PAGESCALING.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Custom.. {.. *rcNameID: =IDS_GPD_CUSTOM.. }.... *Option: CustomSquare.. {.. *rcNameID: =IDS_GPD_CUSTSQUARE.. }.... *Option:

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl-PipelineConfig.xml

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:exported SGML document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2476
                                                                                                  Entropy (8bit):5.158189280019379
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:qDG8kHYKsJyhBk//ojAd+6IG0c9RLN0KUvfaZhcLNhpMubDUHeLNq63PfaZhcLNM:qDhkHtsI4aV46+ZhOb2tZhzZh7jZh/v
                                                                                                  MD5:B628B4F8CC199D26E18FE27BD4A29BBD
                                                                                                  SHA1:CBB6FB510D708AE85CC0F715617BCD788A613727
                                                                                                  SHA-256:12DCC665FDEFEE3D3D771F5727F86FB812C606FCE0E7A3DA943A2072295D2984
                                                                                                  SHA-512:825E8583B140C3CA5C44669AAAEF7654A90977F15FD0959FC17DEE30E18C3275EDFE2366A5C90CE707AF28951A56194CBA0CBEE6967CD95FA9CA8CFD6EF189F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: ....Copyright (c) 2005 Microsoft Corporation....All rights reserved.....THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..PARTICULAR PURPOSE.....File Name:.... xdsmpl-pipelineconfig.xml....Abstract:.... XPSDrv sample driver filter configuration file. This identifies the.. filters that comprise the filter pipeline and their order.....-->....<Filters>.. <Filter dll = "XDWMark.dll".. clsid = "{B8B525BF-F147-460a-B2D5-9DFB1F30D0FD}".. name = "Watermark filter">.. <Input guid = "{b8cf8530-5562-47c4-ab67-b1f69ecf961e}" comment="IID_IXpsDocumentProvider"/>.. <Output guid = "{4368d8a2-4181-4a9f-b295-3d9a38bb9ba0}" comment="IID_IXpsDocumentConsumer"/>.. </Filter>.. <Filter dll = "XDScale.dll".. clsid = "{976EDCE4-274E-482a-97

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11986
                                                                                                  Entropy (8bit):4.7262628705263445
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3HDc4F4V4U4k4v4g4L4wfyPUc5Bn+vjdQjNuDVjFfJCk72sI/72sIPTZGjo2D:KyPUc5Bn+bdsN4jFfJR25T25wZ
                                                                                                  MD5:E1F2A2FD0D41438A375F0DDC1822AA7C
                                                                                                  SHA1:267F8BFFABCCA4D46556519C105C0C6055B6F6D0
                                                                                                  SHA-256:606E0918952F5441D31F5335F09FD6AACAE0A5850A0174280FF34F6772A0B768
                                                                                                  SHA-512:1CF4B1E989819ECB134DCBD9C842F69D97A4949ED319D712BF14729C8A0BE0FF22122E3FADC4F4B2A86916F5EBF717E5CCE6E7620DD90EA73551CB523703EC0C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdsmpl.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver main GPD file...*%....*GPDFileVersion: "1.2"..*GPDSpecVersion: "1.2"..*GPDFileName: "XDSmpl.gpd"..*Include: "msxpsinc.gpd"..*Include: "StdNames.gpd"..*Include: "xdnames.gpd"..*Include: "xdwmark.gpd"..*Include: "xdbook.gpd"..*Include: "xdcolman.gpd"..*Include: "xdnup.gpd"..*Include: "xdpgscl.gpd"..*ModelName: "XPSDrv Sample Driver"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 1....*%*********************************************************************

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):475
                                                                                                  Entropy (8bit):5.248799523355892
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:fp+BF8aNytrHLCSKsSHUJhGbkxIESnPEcF4RqWo40nUv:fp+D8MkHLNKsSyh2kBoP3FsqA02
                                                                                                  MD5:2EFCEBC23D661F3BFA0A4A4BE0588466
                                                                                                  SHA1:1ED92AEC943CFE143A7DBBCE2A82141D67FB9169
                                                                                                  SHA-256:DC50AFD088B0D72935D0CDF8F99071A7C80A4979BC9AF915016DD847F222EBE9
                                                                                                  SHA-512:FC1FF31E2CBFA1BC8A825548C6C4661236FAF12D8B75F25010E783DE116FC48B61F0188A4673C2C60A52181F6E7F0EFE39BF9B0A7D35B1937EC02B97FCCB7955
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:;..; Copyright (c) 2005 Microsoft Corporation..;..; All rights reserved...;..; THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..; ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..; THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..; PARTICULAR PURPOSE...;..; File Name:..;..; xdsmpl.ini..;..; Abstract:..;..; XPSDrv sample driver configuration file for UI plug-in...;....[OEMFiles]..OEMConfigFile1=xdsmplui.DLL......

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwmark.gpd

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1554
                                                                                                  Entropy (8bit):4.555759044915239
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:FCDZkHSs9/9Tmm8LYReOR1RwrRpRajx8LZRzQRVRC:sDuHnmmoYRVR1RwrRpRajxoZRcRVRC
                                                                                                  MD5:C922269B15071195905ACE600AC9B02C
                                                                                                  SHA1:BCC559EBBFCAC61A67905B5DBB9D3E8E27D413E5
                                                                                                  SHA-256:2FC61A7629E0382699E8178AC8131666BB1BADA65F9B7AC738E7620C1D3A4E40
                                                                                                  SHA-512:C4ACE0F94150ED02580A365798981FD30484B3E13576624620377F077AD4A6C0AA06ED3DBC1B8A64406F357321A9AD027A1A12D9C98A407D27B58CA857D74E84
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:*%..*% Copyright (c) 2005 Microsoft Corporation..*%..*% All rights reserved...*%..*% THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF..*% ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO..*% THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A..*% PARTICULAR PURPOSE...*%..*% File Name:..*%..*% xdwmark.gpd..*%..*% Abstract:..*%..*% XPSDrv filter feature sample driver watermark specific GPD settings...*%....*%******************************************************************************..*% PageWatermark..*%******************************************************************************..*Feature: PageWatermarkType..{.. *rcNameID: =IDS_GPD_WATERMARKTYPE.. *DefaultOption: None.... *Option: None.. {.. *rcNameID: =IDS_GPD_NONE.. }.... *Option: Text.. {.. *rcNameID: =IDS_GPD_TEXT.. }.... *Option: Raster.. {.. *rcNameID: =IDS_GPD_RASTERIMAGE.. }.... *Option: Ve

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwscRGB.icc

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Microsoft color profile 2.2, type lino, RGB/Lab-spac device by MSFT, 124856 bytes, 10-5-2006 12:14:35 "Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut M"
                                                                                                  Category:dropped
                                                                                                  Size (bytes):124856
                                                                                                  Entropy (8bit):6.796177094859484
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:wq47C9ZJMKkyYHlMRyu2FK0MjUq2mX14F4Q7asMM06KI:w29bMPyASyumQwmleHf91
                                                                                                  MD5:45CC4B43673056B8625ADD43EFDF33DD
                                                                                                  SHA1:2A7E28C7696CAF775344A31A23DCDADF15A5F1BD
                                                                                                  SHA-256:089BE57682C9F866DCCE74E1D174AA9816BC0992C1CE6EC01E03958964EF852A
                                                                                                  SHA-512:08A1FEA06EED5B874BE487F0F523ADCB98262FFA7158F54A724963827ACBF6318EEE99948AEB999C6F6EF875EA04E2B2377CBE623BB4679FB90BE785C75560DC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...lino. ..spacRGB Lab ...........#acspMSFT...................................-MSFT................................................desc......."cprt.......1wtpt...$....A2B0...8...ZB2A0.......ZMS00..U.....desc........Created by Microsoft WCS from DMP: scRGB virtual device model profile, CAMP: Default sRGB monitor, and GMMP: Default Gamut Map Model Profile for photos.enUS....C.r.e.a.t.e.d. .b.y. .M.i.c.r.o.s.o.f.t. .W.C.S. .f.r.o.m. .D.M.P.:. .s.c.R.G.B. .v.i.r.t.u.a.l. .d.e.v.i.c.e. .m.o.d.e.l. .p.r.o.f.i.l.e.,. .C.A.M.P.:. .D.e.f.a.u.l.t. .s.R.G.B. .m.o.n.i.t.o.r.,. .a.n.d. .G.M.M.P.:. .D.e.f.a.u.l.t. .G.a.m.u.t. .M.a.p. .M.o.d.e.l. .P.r.o.f.i.l.e. .f.o.r. .p.h.o.t.o.s...........................................................................text....Copyright (c) 2004 Microsoft Corporation....XYZ .......T........mft2................................................BeBwB.B.B.B.B.B.B.C.C.C"C3CECVCgCxC.C.C.C.C.C.C.D.D.D$D5DFDWDhDzD.D.D.D.D.D.D.E.E.E%E6EHEYEjE{E.E.E.E.E.E.E.F.F.F'F8FIFZFlF}

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):55112
                                                                                                  Entropy (8bit):6.95804253448452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:+EmCoFSZSI9Xhq7xYQAucXy069A3hKhy06ia3hyKb3LCxLVNe9zLuX:+EmPFSYWXf69A3hK16x3hyKbOnNazSX
                                                                                                  MD5:9D62CBDE4079B1BE2CB1B91BDD74E539
                                                                                                  SHA1:C54E743DE54B9D1D35CDA8F15562483163A064C0
                                                                                                  SHA-256:63347E07C934A788F5996EF91D86F718C273DB6221BF448F0659F70194A65031
                                                                                                  SHA-512:E3DE199BAABCB087A07071D67F2A0EE3E0F01E06B23B75B6FDCF1146CE782263E1A63D32B4DAFF3699766FD3922AB41F9DCB4497398DB5F0DA9EA33F5FDDF24C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q...5..5..5..!..4..!..2..5.....!..3.....>.... .4.....4..Rich5..........................PE..L...;..b.................D...&......0p....... ....@..................................i....@E................................`p..P.......p............n..Hi...........(..8...........................8)............... ...............................text...w........................... ..h.rdata....... ......................@..H.data........0....... ..............@...PAGE.....,...@.......0.............. ..`INIT.........p.......^.............. ..b.rsrc...p............d..............@..B.reloc...............h..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):62816
                                                                                                  Entropy (8bit):6.690155437787919
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:7FkBLAYEMVmkPGsfD6ppH3hLW6G3heObqQyvzP:75YskPGiDaphWqOuQyvr
                                                                                                  MD5:9CE89A1A93E196AA261561B1E5C3AFC6
                                                                                                  SHA1:8ECDB82C1C4A9C4431826097EDB11718152AD7A5
                                                                                                  SHA-256:CBB084056495566BFC8D933D7094694053ADDB91C190F95F791016CF6368D94D
                                                                                                  SHA-512:A4E7E93819CDCFDF0ED468F0138AD2774D2D7D8A587A01A4745F61AC27DFCD41A49922827E7029FC7564DF3866C64464B7B131CEBF3D39AD85D94E533AE53C5B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........x...+...+...+..*.+..*...+...+..+..*.+..*.+L..*...+L.a+.+L..*.+Rich...+................PE..d...8..b.........."......R...8......0..........@.....................................%....`A....................................................<.......p....p..........`i......T....<..8...........................P<...............0..0............................text...)........................... ..h.rdata.......0......................@..H.data........P.......,..............@....pdata.......p.......@..............@..HPAGE....$7.......8...F.............. ..`INIT.................~.............. ..b.rsrc...p...........................@..B.reloc..T...........................@..B........................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285
                                                                                                  Entropy (8bit):4.794885910225241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:fAjsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9RNIgm9MOdELVb4NMD7:EWZ9dAudm95dyE239nd9RGpDdwh7
                                                                                                  MD5:1690361AD6F64AA935F0C71847F763B6
                                                                                                  SHA1:5F8682A46B5A4DF1F03D8078240F6619B0C90DDF
                                                                                                  SHA-256:D7CBA410A986FD863C69BDB98311A2F49E04F3ED7C1499C6A5557B7BA856B5AE
                                                                                                  SHA-512:2CE17EEF081E5C7F68E7584413C65242A1CE240B23F1226906DB6F6BC12E97B834545DA6B43BE5903D6EDBC66B1899634D9115E6688961F5547297819989D2EE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon.exe install stvad.inf *STVAD >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):289
                                                                                                  Entropy (8bit):4.864786270026779
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9RNIgm9MOdRL6Vb4NMD7:kWZ9dAudE95d0E239Jd9RGpDdCh7
                                                                                                  MD5:678C5FB9E1F87E4986E2B80B55740A9C
                                                                                                  SHA1:3E30F2B668EEAE7F8D0A192F6F3B9EE6213D58E8
                                                                                                  SHA-256:E04797F8F85EAAB68DA60C9E2F08E224DBF379ECC6085BD2A8C79974FF1D46E3
                                                                                                  SHA-512:B6FD46FE165ACB6169056465248078B9794669846B57E616F8DB923C6EDD324A625BE968E499463BADC7B99660A8CE3304333BA9D92D8907C98C6B3CB6B7DB6E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon64.exe install stvad.inf *STVAD >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\stvad.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11950
                                                                                                  Entropy (8bit):7.350152493437532
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:mgQzOQtQyQHOQqQWNJCHF1agjEwOXP6hYCe68JGlD/Jn9VOMbSX01k9z3AoXSkqr:INg/k6h3e1GlD/LVNSR9zrVqr
                                                                                                  MD5:6E88194D307CE842B43826CA7B473411
                                                                                                  SHA1:1C8767D498A53C6287EA89BCEB43A21C4F4AF479
                                                                                                  SHA-256:E75BF820E72813D3C46D11502267B3FE445E9A7F05E855DF97811D3E2333EE3A
                                                                                                  SHA-512:016B756C585648B0AF746E906302FC021516B0419DBD9B5444B11C709D3C6AE8CF330A1A49D7ACD341846D558FDC18C1DE5B97DA59ED53C887A854B8BDA5679F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0.....+.....7......0...0...+.....7.....y...K.O.."+ H.I..220214055503Z0...+.....7.....0...0......(u..m.,..E5.IhF..1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0....6=0..z..-.c..q..xS.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0.... Vf.*...S.....3...7.D.%.Azv).`>1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... Vf.*...S.....3...7.D.%.Azv).`>0... .j.[6=uPASr......) .N.g].!i.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .j.[6=uPASr......) .N.g].!i.0.....U....Z....$......1..0...+...

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\stvad.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4338
                                                                                                  Entropy (8bit):5.5192534972153515
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:2kSMHhlJjFdN5JHzI8LeTMdH33I8vV4xmzAchZ8MMCuj:2kSMHdxdnJHTeT+3B4xm09j
                                                                                                  MD5:8E91B0F01FFE8DF22050392F91D8F28D
                                                                                                  SHA1:1ECD2875D29F0F6DE62C1DBA4535D7496846B70D
                                                                                                  SHA-256:946AE6ACA55B363D7550415372A8A483BEDA152920104EE4675DD4AC2169ECA1
                                                                                                  SHA-512:5B421B323084E851154C15E22769BDBA12C555DD8DF949B21719CF13C0549EEE1AC48C4EC4802EC08A725A4515C449BACE6E43F0DC67B54BAB1DB08D2408AA59
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature..= "$CHICAGO$"..Class...= MEDIA..Provider..= %ST%..ClassGUID..= {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer = 02/14/2022,1.0.3.0..CatalogFile .= stvad.cat....[SourceDisksNames.x86]..222 = "STVAD Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVAD Driver Disk","",222,\64bits....[SourceDisksFiles]..stvad.sys = 222....;;This syntax is only recognized on Windows XP and above- it is needed to install 64-bit drivers on..;;Windows Server 2003 Service Pack 1 and above.....[Manufacturer]..%MfgName% = SplashtopDS, NTAMD64, NTx86....;; For Windows Server 2003 Service Pack 1 and above, a 64-bit OS will not install a driver..;; unless the Manufacturer and Models Sections explicitly show it is a driver for that platform..;; But the individual model section decorations (or lack thereof) work as they always have...;; All of the model sections referred to are undecorated or NT-decorated, hence work on all platforms....[SplashtopDS]..%STVAD.DeviceDesc% =

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):206
                                                                                                  Entropy (8bit):4.79285514077006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9R7:kWZ9dAudm95dyE239nd9R7
                                                                                                  MD5:9EAFE2CC76D906E1C4F0FCB2A485A453
                                                                                                  SHA1:51D48B136B7AD1BBA162D3674F249A6832F9B55E
                                                                                                  SHA-256:9C01560D63FA71D8492B5B866E02902EA5AD8DF54B5678DCA54160F787AD7BC2
                                                                                                  SHA-512:76D1A89F064AD7C9B89D9FBD06735837E4B47220F2B790B2BE3DCC63251923F7D0B2B8DB5B3983D4E7B94DA1DFCB3EC9EC81C0927446E05D4EECA9CD293CE4F8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):212
                                                                                                  Entropy (8bit):4.871313263028117
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9R7:kWZ9dAudE95d0E239Jd9R7
                                                                                                  MD5:A2DA78EF1F7BC59138D71F85D6310ECA
                                                                                                  SHA1:912DCBFF74495F0235A969BCE934B421086DD175
                                                                                                  SHA-256:A980C2CD38F4D2F06E6A5DC96BFFFB8EC39A7A1254D5FF6ED1E7F44048F66AE1
                                                                                                  SHA-512:32DAD786E55680F653F7F5570189E2C0F815CE0A69221B91743B67407587E9A13C414E5ECCEB2CD02A3C0A805E3D6D2639948DD22DFAC3B6FF56D74CC468AD56
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45320
                                                                                                  Entropy (8bit):6.720475524234058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:G9CoFe+yIPYhqU1YQ7YemerV3hvrOyk3hH63:G9PFe3VYq3hvrOX3hH+
                                                                                                  MD5:A9D239E41BAED5879255923481C73D11
                                                                                                  SHA1:FE581685174CEFCAD994BB8EC1A70537BB8CA626
                                                                                                  SHA-256:5118FB2A6A4B1E37AA12544E5864B77733739FB5EFBC4997F3A5A3EF385FE9B9
                                                                                                  SHA-512:5460CDDD61A79C9C4982106344F4354E55C93AC996EF7315DE635F2F45EFE8A9BDFF37664137E7307E8C9654BCD16ACC65B8471D08E09DAA798502B0973E3DAD
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................................#.........Rich...................PE..L....0Ca.................D...&......0p....... ....@.................................N.....@E................................xp..P.......p............n...C...........(..8...........................8)..@............ ...............................text............................... ..h.rdata....... ......................@..H.data........0....... ..............@...PAGE.....,...@.......0.............. ..`INIT.........p.......^.............. ..b.rsrc...p............d..............@..B.reloc...............h..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53000
                                                                                                  Entropy (8bit):6.411029825578745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:HD4P58VeNfba5EMjxMXOkvmWvwDtmmEfdgA5lER3hjgxW3hyB:8PiVeNYEMVz4TVRl+3hjgg3hyB
                                                                                                  MD5:E623E53FAE062F43180174FA01E7B6E0
                                                                                                  SHA1:7843125E12A3DF5A9DC1FB052CCC34B993A18F00
                                                                                                  SHA-256:D68E13044485D730E183449E3F34D45E319199D376C7528FC8DDA87CA5A22034
                                                                                                  SHA-512:26E342BC8E28CB447BF4F1FC4F1A7A0CA2186B4AC78CDC062B29CC206ED1FAC2E0825748DF26AA0E893795820A77D6D269F4DFCB2162E5877710D7DE8FD1365B
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t`X.............~.......~...............~.......~.......`.......`.......`......Rich............PE..d....0Ca.........."......R...8......0..........@.........................................`A....................................................<.......p....p...........C......T....<..8...........................P<...............0..0............................text...i........................... ..h.rdata.......0......................@..H.data........P.......,..............@....pdata.......p.......@..............@..HPAGE.....7.......8...F.............. ..`INIT.................~.............. ..b.rsrc...p...........................@..B.reloc..T...........................@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):285
                                                                                                  Entropy (8bit):4.794885910225241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:fAjsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9RNIgm9MOdELVb4NMD7:EWZ9dAudm95dyE239nd9RGpDdwh7
                                                                                                  MD5:1690361AD6F64AA935F0C71847F763B6
                                                                                                  SHA1:5F8682A46B5A4DF1F03D8078240F6619B0C90DDF
                                                                                                  SHA-256:D7CBA410A986FD863C69BDB98311A2F49E04F3ED7C1499C6A5557B7BA856B5AE
                                                                                                  SHA-512:2CE17EEF081E5C7F68E7584413C65242A1CE240B23F1226906DB6F6BC12E97B834545DA6B43BE5903D6EDBC66B1899634D9115E6688961F5547297819989D2EE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon.exe install stvad.inf *STVAD >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):289
                                                                                                  Entropy (8bit):4.864786270026779
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9RNIgm9MOdRL6Vb4NMD7:kWZ9dAudE95d0E239Jd9RGpDdCh7
                                                                                                  MD5:678C5FB9E1F87E4986E2B80B55740A9C
                                                                                                  SHA1:3E30F2B668EEAE7F8D0A192F6F3B9EE6213D58E8
                                                                                                  SHA-256:E04797F8F85EAAB68DA60C9E2F08E224DBF379ECC6085BD2A8C79974FF1D46E3
                                                                                                  SHA-512:B6FD46FE165ACB6169056465248078B9794669846B57E616F8DB923C6EDD324A625BE968E499463BADC7B99660A8CE3304333BA9D92D8907C98C6B3CB6B7DB6E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log....REM install...\..\utils\devcon64.exe install stvad.inf *STVAD >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18540
                                                                                                  Entropy (8bit):7.313988713784432
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1+wARK7Nm4UB1LtL8JN77hh/onRK7Nm4UxY28JN77hh07V:8wUh23hRoR83hGV
                                                                                                  MD5:52973E06C8A2587300797DEBD419A08C
                                                                                                  SHA1:8D13082BEEF0B4240B67F7D04809A25C8CC3834F
                                                                                                  SHA-256:AACA5F16D57F7C9CBA15F8420FA57CB0F222F3FD28051FD1C103AEBEBA681D05
                                                                                                  SHA-512:60CE0E47DD5B42DB77BBF507AEB939CA26ECA50A5A6F5FF4731D4E65230335BC5F8E47A1B60466B6BB2CACB582F7F0BEACEAA956A2A50D5C5645F0591D4DF8B0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.Hh..*.H........HY0.HU...1.0...+......0.....+.....7......0...0...+.....7........[.nA.jC`.S....210916120921Z0...+.....7.....0...0....R5.6.4.E.F.8.7.0.9.0.7.9.8.F.7.A.6.2.5.7.4.B.6.0.2.C.F.3.1.2.3.D.C.E.D.2.3.4.6.3...1..O06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........VN.p.y.zbWK`,..=..4c0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R8.7.8.1.B.4.C.0.6.1.9.4.5.A.2.E.8.E.0.1.0.E.F.1.2.9.8.5.9.B.D.1.A.A.3.1.3.C.7.5...1..G06..+.....7...1(0&...F.i.l.e........s.t.v.a.d...i.n.f...0E..+.....7...17050...+.....7.......0!0...+............a.Z.....)...1<u0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RF.4.9.D.9.9.6.B.8.8

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3217
                                                                                                  Entropy (8bit):5.702969738113695
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:2kQG735yUI8LeHdT3I8vV4xDKKr84QM5MFgWCwj:2kQG7pyye1B4x+I8pj
                                                                                                  MD5:1574CF3E123B96142ACF789F852119FF
                                                                                                  SHA1:8781B4C061945A2E8E010EF129859BD1AA313C75
                                                                                                  SHA-256:3FF183B875687A9A2BAF0FBEFA52AC04CD5E869E6E4FD535CC7D1D1F4825A003
                                                                                                  SHA-512:29EA441281BA5A4E7B427335E36D0D6FA2A103D852DD16E460C4BE62E2640AE2117C1C64CFE6BFDC2A22FE9ADDE71B74DB5A1A6BF80D7BE0953FD593401F0311
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature..= "$CHICAGO$"..Class...= MEDIA..Provider..= %ST%..ClassGUID..= {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer ..= 09/16/2021, 1.0.2.0..CatalogFile .= stvad.cat....[DestinationDirs]..STVAD.CopyList = 10,system32\drivers....[SourceDisksNames.x86]..222 = "STVAD Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVAD Driver Disk","",222,\64bits....[SourceDisksFiles]..stvad.sys = 222....[Manufacturer]..%MfgName% = Splashtop, NTAMD64, NTx86....[Splashtop.NTAMD64]..%stvad.DeviceDesc% = STVAD, *STVAD....[Splashtop.NTx86]..%stvad.DeviceDesc% = STVAD, *STVAD....[STVAD]..AlsoInstall..= ks.registration(ks.inf),wdmaudio.registration(wdmaudio.inf)..CopyFiles..= STVAD.CopyList..AddReg...= STVAD.AddReg....[STVAD.CopyList]..stvad.sys....[STVAD.Interfaces]..AddInterface.= %KSCATEGORY_AUDIO%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATEGORY_RENDER%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATEGORY_CAPTURE%,%KSNAME_Wave%,STVAD.I.Wave..AddInterface.= %KSCATE

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):206
                                                                                                  Entropy (8bit):4.79285514077006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdHNMDPVgOdyE23PVgmfd9R7:kWZ9dAudm95dyE239nd9R7
                                                                                                  MD5:9EAFE2CC76D906E1C4F0FCB2A485A453
                                                                                                  SHA1:51D48B136B7AD1BBA162D3674F249A6832F9B55E
                                                                                                  SHA-256:9C01560D63FA71D8492B5B866E02902EA5AD8DF54B5678DCA54160F787AD7BC2
                                                                                                  SHA-512:76D1A89F064AD7C9B89D9FBD06735837E4B47220F2B790B2BE3DCC63251923F7D0B2B8DB5B3983D4E7B94DA1DFCB3EC9EC81C0927446E05D4EECA9CD293CE4F8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon.exe remove *STVAD >> inst.log...\..\utils\devcon.exe rescan >> inst.log...\..\utils\DIFxCmd.exe /u stvad.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):212
                                                                                                  Entropy (8bit):4.871313263028117
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd9KwqJ6dAGgOdRLvNMDPVgOdRLKE23PVgmBd9R7:kWZ9dAudE95d0E239Jd9R7
                                                                                                  MD5:A2DA78EF1F7BC59138D71F85D6310ECA
                                                                                                  SHA1:912DCBFF74495F0235A969BCE934B421086DD175
                                                                                                  SHA-256:A980C2CD38F4D2F06E6A5DC96BFFFB8EC39A7A1254D5FF6ED1E7F44048F66AE1
                                                                                                  SHA-512:32DAD786E55680F653F7F5570189E2C0F815CE0A69221B91743B67407587E9A13C414E5ECCEB2CD02A3C0A805E3D6D2639948DD22DFAC3B6FF56D74CC468AD56
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\..\SRUtility.exe -u...\..\utils\devcon64.exe remove *STVAD >> inst.log...\..\utils\devcon64.exe rescan >> inst.log...\..\utils\DIFxCmd64.exe /u stvad.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53008
                                                                                                  Entropy (8bit):6.847750617309462
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:b9aXVnIo4e86mU2IpU88ukl7qqOky4QqSmOOgY3hs3BMBs3hsU4hJt34lz2:b9uV54e8Q6uoramO43hs3h3hsU4/tgy
                                                                                                  MD5:48A8D41400F7D4729A0FB3102B2FD7AF
                                                                                                  SHA1:709FCD8676F7E618B1D519D7C84422D90EAC81AD
                                                                                                  SHA-256:158BF7761E9A254E5D4608E62D11B86A682E505413C86128999F8EDC6294645D
                                                                                                  SHA-512:845DA37A4FC90DB0E4D1A0CE51E9436F3AB65289C4CAE189999A72DC516F09750FBE43D681746E5BD0C5E4E90C246BC58ADF95239A19A3E3E71000C0E8B46018
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................................................#.........Rich...................PE..L...1.'a.................>...&......0p....... ....@.......................................@E................................xp..P.......p............h...g...........(..8............................)..@............ ...............................text...g........................... ..h.rdata..l.... ......................@..H.data...0....0......................@...PAGE....")...@...*.................. ..`INIT....8....p.......X.............. ..b.rsrc...p............^..............@..B.reloc...............b..............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59152
                                                                                                  Entropy (8bit):6.649199158440194
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:Qidu9HV92g74x9xMtsqRdUx2PEvp/MuTP3hs0KI3hsE5Et367SH:09HV92Z9fx/MYP3hs0t3hsE+tK7+
                                                                                                  MD5:FFC5D6FFD92E2F5DD7D454B5EA624825
                                                                                                  SHA1:22DC6D072A87B95A215735D8A9002757F1C99F4B
                                                                                                  SHA-256:BF3806D063FD4982791FA5F5C50DDC5B7F49B40615F6CFCE96016571CA4AF7CB
                                                                                                  SHA-512:653CAB148E0CE24DF36C1EC02760F19C9100542FCA5885B665E8F98EE82118B7930D3B9C8BAF18C1D08B5E1D3D5F7B3DDF0041581116BA5973CE30DFF4C4A958
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t`X.............~.......~...............~.......~.......`.......`.......`......Rich............PE..d...-.'a.........."......H...4......0..........@.....................................g....`A....................................................<.......p....`..h........g......L....+..8........................... ,............... ...............................text............................... ..h.rdata....... ......................@..H.data........@.......&..............@....pdata..h....`.......:..............@..HPAGE.....1...p...2...@.............. ..`INIT.................r.............. ..b.rsrc...p............x..............@..B.reloc..L............|..............@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):286
                                                                                                  Entropy (8bit):4.868409179176479
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:fAjsd94wqJ6dA3OdqA3PMOdyE23PMmfPP0NIgm4OdELV5FaA37:EWH9dAedNtdyE23rH0GpBdM97
                                                                                                  MD5:A9A42F8DE6BBE12230621C01C8FD5987
                                                                                                  SHA1:360D7B9C960AA8BCFAB960F5BC8FE4C8217BFF1D
                                                                                                  SHA-256:377B50263A4EC36A0133666CCC089CC065119FE290FA53D9397D414BFDE6DDF3
                                                                                                  SHA-512:CFCBE219768697E54E62F27C0BC318590055BD70BBAB73262ED93B4F7B8A993D6984DB2CE1A0DABE65A2E83204FAE61AB4896BCA56385E49DA7527B4567EDDFD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:rem echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon.exe remove *STVSpkSimple >> inst.log...\utils\devcon.exe rescan >> inst.log...\utils\DIFxCmd.exe /u stvspk.inf >> inst.log....REM install...\utils\devcon.exe install stvspk.inf *STVSpkSimple >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):290
                                                                                                  Entropy (8bit):4.94060950303714
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdRLiA3PMOdRLKE23PMmBPP0NIgm4OdRL6V5FaA37:kWH9dAedDtd0E239H0GpBdm97
                                                                                                  MD5:9DC29B6F9CC69C534977BFCDC98E2705
                                                                                                  SHA1:4AA931BE2C7297A93CEC4172F48EDDD8DBC4E3AB
                                                                                                  SHA-256:78CEDF996370DF8A59521A77BDDB7118610924A02625AA53BFE47975A23B3B8D
                                                                                                  SHA-512:5227EFC53C6D12C012691A920ADB77B51E9E939294B7B690774BDC16EFAC877D9D92C409D5197244279F4BE8052CA8FA9FCD37D82178807DABA8D0F528F179A7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon64.exe remove *STVSpkSimple >> inst.log...\utils\devcon64.exe rescan >> inst.log...\utils\DIFxCmd64.exe /u stvspk.inf >> inst.log....REM install...\utils\devcon64.exe install stvspk.inf *STVSpkSimple >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18559
                                                                                                  Entropy (8bit):7.313796375225627
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:5eNwo6RK7Nm4UN1d08JN77hhOd5wTRK7Nm4UhkX88JN77hhOmT:Yw1n33hsd5wFIXf3hsmT
                                                                                                  MD5:3BEB01DAE131D8E2F595EA697676FD82
                                                                                                  SHA1:E4AE36B125E40E3964C176FAD1A2690317574A15
                                                                                                  SHA-256:B2E42C84B27299C6973FC976FF22837D156788A6D423286816DD9B551A959245
                                                                                                  SHA-512:DDCEB2EE00865574863F4E6D5CE32A4363FCBC85C42B75AE348FA1A09E1FC5284355A772E127372993560CA634B52447EE6F4CF7261691EB8EEDD0DD95731FEC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.H{..*.H........Hl0.Hh...1.0...+......0.. ..+.....7......0...0...+.....7.....]....qF.3o...!...210826123955Z0...+.....7.....0...0....R2.2.8.8.7.7.B.7.3.E.F.1.0.A.0.A.F.7.3.6.9.3.F.B.2.B.4.F.4.9.F.D.6.D.A.7.4.0.4.9...1..I08..+.....7...1*0(...F.i.l.e........s.t.v.s.p.k...i.n.f...0E..+.....7...17050...+.....7.......0!0...+........".w.>....6..+OI.m.@I0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R3.7.8.B.6.D.B.1.6.A.4.1.D.7.F.6.F.1.2.A.D.5.B.B.3.B.3.4.2.D.F.D.9.E.A.0.2.A.8.1...1..Q08..+.....7...1*0(...F.i.l.e........s.t.v.s.p.k...s.y.s...0M..+.....7...1?0=0...+.....7...0...........0!0...+........7.m.jA...*.;4-...*.0b..+.....7...1T0R...O.S.A.t.t.r.......<2.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1.,.2.:.6...2...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....R4.C.C.A.0.5.0.E

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4530
                                                                                                  Entropy (8bit):5.531167619033096
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:TMuJlJjPHHXkP9bYxHJswZ4xNzp49RY8MMCuqx:TMuFDHX4yR4xNdezqx
                                                                                                  MD5:C6F9A3971989361505A22B26F16CBF33
                                                                                                  SHA1:228877B73EF10A0AF73693FB2B4F49FD6DA74049
                                                                                                  SHA-256:1D08A49A629D67FDC77E6EC38B90F10A2C7788BDE9EDE15075732DA010FCE8DB
                                                                                                  SHA-512:B49317454756DD29317838224D2B49A1D4CDB358B0BAE5EFBD6CD7F12CDEE018BF9F3A8D7D1484D64BA158821E3EBDC52D18BD601D999FFB9127A744BD477A3C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature = "$CHICAGO$"..Class = MEDIA..Provider = %ST%..ClassGUID = {4d36e96c-e325-11ce-bfc1-08002be10318}..DriverVer=08/26/2021,1.0.1.0..CatalogFile = stvspk.cat....[SourceDisksNames.x86]..222 = "STVSpk Driver Disk","",222,\32bits....[SourceDisksNames.amd64]..222 = "STVSpk Driver Disk","",222,\64bits....[SourceDisksFiles]..stvspk.sys = 222....;;This syntax is only recognized on Windows XP and above- it is needed to install 64-bit drivers on..;;Windows Server 2003 Service Pack 1 and above.....[Manufacturer]..%MfgName% = SplashtopDS, NTAMD64, NTx86....;; For Windows Server 2003 Service Pack 1 and above, a 64-bit OS will not install a driver..;; unless the Manufacturer and Models Sections explicitly show it is a driver for that platform..;; But the individual model section decorations (or lack thereof) work as they always have...;; All of the model sections referred to are undecorated or NT-decorated, hence work on all platforms....[SplashtopDS]..%STVSpk.DeviceDesc%=STVSp

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):202
                                                                                                  Entropy (8bit):4.8854882526314825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdqA3PMOdyE23PMmfPP07:kWH9dAedNtdyE23rH07
                                                                                                  MD5:3535AC984A69ED2E778B7F2B77618C94
                                                                                                  SHA1:3B6B19524DFAABDA5CF5FD2DD476A0108C928676
                                                                                                  SHA-256:98040E1CF91AB05E0341BAE64F1D8AD29077A5351C586F2507CFF4C41CA80A1C
                                                                                                  SHA-512:FD92393595D39F6260BB517DF38E82FBAB7BD7A9A79C276DEAFBDC69B123359F3D20C5A5B28AB06EFCB412E64E2AC940FA84FB130EAE9ACC778410119E7BF083
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon.exe remove *STVSpkSimple >> inst.log...\utils\devcon.exe rescan >> inst.log...\utils\DIFxCmd.exe /u stvspk.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):208
                                                                                                  Entropy (8bit):4.961978816753448
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajsd94wqJ6dA3OdRLiA3PMOdRLKE23PMmBPP07:kWH9dAedDtd0E239H07
                                                                                                  MD5:754E73406288B7E24396DE0B02C9767D
                                                                                                  SHA1:EE115F24C025725D5BC56DAF460CBB25084D1059
                                                                                                  SHA-256:A2B082F8CF5944558CA68BEEC0290C49A3E4080E3B364A9A64F6CC203DFD2339
                                                                                                  SHA-512:9C378936BE40F532C0866713417DC0F686F8067EE706AD96DC71BA9614378A9ACF1E481C95E25C0AA0C9E63CC23C237FAAB22E49BD773E138543F27C7F0AEA5E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0....REM uninstall...\..\..\SRUtility.exe -u...\utils\devcon64.exe remove *STVSpkSimple >> inst.log...\utils\devcon64.exe rescan >> inst.log...\utils\DIFxCmd64.exe /u stvspk.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25040
                                                                                                  Entropy (8bit):5.182836790970066
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:RnmRA8diIqFr2hrkzbBglwb20HsOANRBUBR+uekbnYPLGKw:5183HrkXBhb2CI7BUBUnCtKw
                                                                                                  MD5:3C0B8DA5253B68665362881787681D04
                                                                                                  SHA1:8C2925071EBBB1D94B34DBC9B926CC96F3D6674F
                                                                                                  SHA-256:8DB1AF7E90197353FD346A2A4D60C7EACD506EBD593A9BCA811DC9C5D420E141
                                                                                                  SHA-512:5ED6163BD09A81D50059B816B3D188DDABA7F032C091CD21205F081CA1B4BB902129A5AA87ADF55B5910B193721226F2E82CC53D9A0DF0D833933F798FCF5471
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......e...!v.!v.!v.(.T.$v.!v.2v.(.R.#v.(.D."v.(.N."v.(.S. v.(.V. v.Rich!v.........PE..d...).9S.........." .....$..."....... ..............................................T........................................................p..<.......X....`.......J..........8....0...............................................0...............................text............ .................. ..h.rdata..<....0.......$..............@..H.data........@.......(..............@....pdata.......`.......<..............@..HINIT....T....p.......>.............. ....rsrc...X............B..............@..B.reloc...............H..............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12008
                                                                                                  Entropy (8bit):6.164676951334965
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:C1XYhWsmdZunYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9/6onc:CBYhWsmdknYPL/p1P6j7rtc
                                                                                                  MD5:1A2D1119C830079A91FDB0BC96C68E9F
                                                                                                  SHA1:6DFD2D9E82F5ABF807402E81F837DEA3FBF24861
                                                                                                  SHA-256:758732573D0360444173A9ADFEBC41E6295262A2E128F4A7DA973138BD05E1A6
                                                                                                  SHA-512:B8A8F0D970D4ACA797C3AE4F70C32D1068599F1FD802430F75606541F00BCC133B66484DAB0276115E09E39126AC398D54933A7757E4C28EC54FC0E40B869A3C
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k..j..k......k......k.....k.....k......k......k.Rich.k.........................PE..d...).9S..........".................dP.......................................p.......R.......................................................P..<....`.......@..$...................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata..$....@......................@..HINIT....@....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18384
                                                                                                  Entropy (8bit):5.784225074424451
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:KNpdeIDggm1TgXu0HM9CZFuz9ynYPLGKsH:Kp0f1Tg+CM9COZytKU
                                                                                                  MD5:FFF61014618EB5B63F5CBB7457537577
                                                                                                  SHA1:E899E392E493F731B900B36FF3C6AD384D35B129
                                                                                                  SHA-256:764FFF366A21B3D44F3F43BDED347E8BF6ACAEC3F911AEA07555A3D8E26CB407
                                                                                                  SHA-512:E057FC69EBE9E36A8D4DABD23044229450FA606564F28A566233AB014C7433ED515AC0BAE8427E667164518A92F74803719A1DB0066AF17560423C8E6BB6FA9B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............i...i...i.......i...h...i.......i.....i.....i.......i.......i.Rich..i.................PE..d...).9S.........." .........:..................................................................................................................<.......P....p.......0..........<....0...............................................0...............................text... ........................... ..h.rdata..\....0......................@..H.data....+...@......................@....pdata.......p......."..............@..HINIT.................$.............. ....rsrc...P............(..............@..B.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12008
                                                                                                  Entropy (8bit):6.1656019250857135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:C1XVhWcj2sFnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9SPp94v:CBVhWcj2onYPL/p1P6j7rLv
                                                                                                  MD5:8A12125138A8F34F9700529363947D5E
                                                                                                  SHA1:996729B5B9A1E85F3B911911AF675C51549F6D13
                                                                                                  SHA-256:392811F93E8DC4BD0BAEEF0DEDC6879DB667EAC0BE894BC6FBCF5BBB776AC98F
                                                                                                  SHA-512:E7AE1C133B9660B791373F1D3BD6765207E6FC1D132687CCE99E267E4945CB9843A47FE53FF0C2A2F20C704F50A8F129514F56675B52FB2C354FC1D829EA62D9
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............k..k..k..j..k......k......k.....k.....k......k......k.Rich.k.........................PE..d...).9S..........".................dP.......................................p..............................................................P..<....`.......@..$...................0 ............................................... ..(............................text...`........................... ..h.rdata....... ......................@..H.data........0......................@....pdata..$....@......................@..HINIT....@....P...................... ....rsrc........`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\install.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51
                                                                                                  Entropy (8bit):4.239902792442837
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Eyd/MLVLV5rxk6BzX:EydELVLrqM7
                                                                                                  MD5:F03B61C1BE8851BF64E2EB97D4A3AF85
                                                                                                  SHA1:FE502F4ECD1209B3DADA7AC8F4876ED9FB5264E8
                                                                                                  SHA-256:AF5EFC928B43A1A476BEAFC055B19568EBCEE29EF4CEB211353DD218689F833B
                                                                                                  SHA-512:D229E472C0FAC83B5B952D368444DDCAC0DB965D033F29AC9EAB8F55D256BC4BFAB0861F21045A6E3B809F5B76AC30917AF321B3DC5F901F982CF477578ABD34
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:utils\devcon.exe install stvideo.inf STVideo_Driver

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77
                                                                                                  Entropy (8bit):4.625480821115634
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:EydKiRgLV5rxk6BzJzIvXYRABAC:EydOLrqMqPYRkAC
                                                                                                  MD5:70271842A0F3305F9A2922EFE95FBED0
                                                                                                  SHA1:8B60A48D3F3CE9BF397B586F88087A291DBE3B89
                                                                                                  SHA-256:A537CF622B5DBAD19587CBC8FE08BBCE8BFE7E49497BECA5784723E876F99415
                                                                                                  SHA-512:B84A1FE296A36346C9658F1A715114FE5A7518FC1E9B9C7A4D08DDFED760ED15626FCD1751EE361CE2D91FA9B19B75873BAA6ED1BB441BB5170DB50473FC2CD0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:utils\devcon install stvideo.inf STVideo_Driver_WIN7..utils\Mirror2Extend.exe

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7_64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):79
                                                                                                  Entropy (8bit):4.7040270721314865
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:EydRFMyEJLV5rxk6BzJzIvXYRABAC:EydRFYJLrqMqPYRkAC
                                                                                                  MD5:C8D6ACDAF26E7B8FDAF2888E0CAE6275
                                                                                                  SHA1:B46AF328CF18FA3687AE4D9EE06780C21A12B7D9
                                                                                                  SHA-256:DE19F496F5932135FB25AB04EEE9E5A923728DDFBE13499058530239D890240D
                                                                                                  SHA-512:79CF0BEDCB07C72B6FFF243F7B6D90116AF1E558290E873863C5BE6994ECB6A7E4D4A0ED33CB05D0AC3699CD2328B3E4613868DECB77D7B0BBA6CF49AD809067
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:utils\devcon64 install stvideo.inf STVideo_Driver_WIN7..utils\Mirror2Extend.exe

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):5.364902287777804
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:NpXpb9ygWK86AclLjQ/WzRf8aMKnqPndtQrcaceJe0uqmnYe+PjPGyz/wa4/h:59yD6nlLoWB8a5Od+zcuebZnYPLGK5a
                                                                                                  MD5:FD3381A69042E1B01266549549845449
                                                                                                  SHA1:C6D8D4BF754DA24C0C9B39DFF0B336120BF3829A
                                                                                                  SHA-256:86688C2EAFB525E2E0E6723907E15567E426670C6B9934E129218A45F47B117A
                                                                                                  SHA-512:E9CEBA750A44248860A5980475D41358C0E0B78EF65BF823995572AA091804D3AF836A2A456A8C4A394AE57AF2B8589DFBF561D1007A3A600136A0746EFFB479
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w....y...y...y...x...y..n..y..n....y..n..y..n..y.Rich..y.........PE..L...'.9S...........!.........................0......................................s........................................`..<....p..X............:..........H...`0...............................................0..T............................text...<........................... ..h.rdata.......0......................@..H.data........@......................@...INIT.........`.......0.............. ....rsrc...X....p.......2..............@..B.reloc...............8..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12008
                                                                                                  Entropy (8bit):6.040113518412221
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Dq8YdZrnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9NH7:Dqjd9nYPL/p1P6j7rd7
                                                                                                  MD5:3C1EBF4DFC9685F1D584F0D6F421391C
                                                                                                  SHA1:99FB5FD1A755AC038818776C6FCB964FD027334F
                                                                                                  SHA-256:237BC4CD7AC38B503EF2D319C484EEAE07562AB09629C218B5C5BEEB8D5A8586
                                                                                                  SHA-512:84C5DCFBAEA40091F7D1D5003414FFA8926B3CEFFADD08071297C5F5A6929557D8EF36BE22181431CA56E773669CD1F15DCFA16494C935EF0C15707102A4A73F
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....................................................Rich....................PE..L...'.9S............................>@....... ...............................p..............................................P@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11728
                                                                                                  Entropy (8bit):6.807178448617145
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:KHpo0tYsmKZWZ3/ECwTnYe+PjPGr9ZCApkT1rrZgjldrXa+v5lfr9mOsPkHsV:Pe+jwTnYPL/p1P6j7TmOfHsV
                                                                                                  MD5:36F961C6308CB0B919E659EB1B738AFA
                                                                                                  SHA1:FC795A8FD24CBB3267474D99922CFF1BEE5F242D
                                                                                                  SHA-256:4212786F0C3D5A00502A5926DE4E111BC9ABB84A4953C93DA6E17DCE4EC902E2
                                                                                                  SHA-512:923A0C4B1454C4DEDA5AFD423B34D51FD9AECBBFC610006FC062CF031C81D4A2FDC94098E9DCA4FC16B25FE0766ECDEC12F450E8E4BC701F17832D3715F70C91
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.-...*.H........-.0.-....1.0...+......0..]..+.....7.....N0..J0...+.....7........PW3.@.<...`.c..140331064154Z0...+.....7.....0...0....R1.5.4.3.1.9.0.6.C.F.3.8.F.8.6.0.1.1.8.5.5.2.3.8.2.B.A.9.6.B.B.D.7.7.6.A.5.7.3.1...1..c0:..+.....7...1,0*...F.i.l.e........s.t.v.i.d.e.o...d.l.l...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+.........C...8.`..R8+.k.wjW10....R2.9.7.2.3.F.C.3.1.1.0.6.4.6.4.9.3.F.8.2.4.3.9.D.A.8.1.C.0.A.B.A.8.7.B.9.6.3.1.7...1..e0<..+.....7...1.0,...F.i.l.e........s.t.m.i.r.r.o.r...s.y.s...0V..+.....7...1H0F...O.S.A.t.t.r.......02.:.5...1.,.2.:.5...2.,.2.:.6...0.,.2.:.6...1...0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0i..+.....7...1[0Y04..+.....7...0&..... .....<.<.<.O.b.s.o.l.e.t.e.>.>.>0!0...+...

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15824
                                                                                                  Entropy (8bit):6.022305855965037
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:cdot9XqRolBJB3gP9tRHY8QjSec95NLnYe+PjPGyz/wOgjJ5Q7:cduaCvJQY8QjSz9vnYPLGKGI
                                                                                                  MD5:AF512AA3612DEA5C2E2FAE866898EED5
                                                                                                  SHA1:803810F8648832AB81DDF3B3C5862077EF6AFD4F
                                                                                                  SHA-256:FBBEE200CBD1663A0F6D6F9FAD4502004DD4922C2257CC8AF6CBFB4DE1CBDB12
                                                                                                  SHA-512:857D6F4F13ADACE91E7C90B6CADF601C87F3D98C9916C3D6079B153A48B7A9F16A5DB79B92D9E087F1646FE12DD65890292475D2D4DD0C823354EAA0B4BA5939
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m..)...)...)...)....... ....... ...+... .../... ...(... ...(...Rich)...........PE..L...'.9S...........!.........6............... ...............................................................................`..<....p..P............&..............p ............................................... ..h............................text............................... ..h.rdata....... ......................@..H.data....)...0......................@...INIT....H....`...................... ....rsrc...P....p......................@..B.reloc...............$..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4694
                                                                                                  Entropy (8bit):5.249583632564649
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:E+5iOJLGq6BFPmfsLkfsof96zdUyLiypkTsTetTtqBlFL+WC:E+5iOJLGqsFPmfsLkfs86zdUyLiypkAU
                                                                                                  MD5:BA4F5D984CB8611E64BFCEDE9C3B8E93
                                                                                                  SHA1:AC67AA1C6C892FC04FC740647815F74C6671DD34
                                                                                                  SHA-256:A31E1D6AE465C93B847D47BCECAE94E24B918BFF73DD7D9B31E6789322591DDD
                                                                                                  SHA-512:16F3528FA573C612A0CF1BB772FB3C3DE2C4EBA619621E33DE0337D0954DE115BA39FAD0D7FD9816849E2BBC430EB84AAA802AA9F861F0B94EC890C9E19BCEBD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:; stvideo.inf..;..; Installation file (.inf) for the splashtop device...;..; (c) Copyright 2011-2014 Splashtop drivers ..;....[Version]..Signature="$CHICAGO$"..Provider=%splashtop%..ClassGUID={4D36E968-E325-11CE-BFC1-08002BE10318}..Class=Display..DriverVer=03/31/2014,1.0.2.0..CatalogFile="stvideo.cat"....[SourceDisksNames]..99 = %DiskId%,,,....[SourceDisksNames.amd64]..99 = %DiskId%,,,\64bits....[SourceDisksFiles]..stvideo.dll = 99..stmirror.dll = 99..stvideo.sys = 99..stmirror.sys = 99....[DestinationDirs]..DefaultDestDir = 11..stvideo.Miniport = 12..stvideo.Display = 11..stmirror.Display = 11..stmirror.Miniport = 12....[Manufacturer]..%splashtop% = stvideo_Mfg, NTx86, NTamd64....[stvideo_Mfg.NTx86]..%splashtop.DeviceDesc% = stvideo, STVideo_Driver..%splashtop.DeviceDesc% = stvideo_win7, STVideo_Driver_Win7..%splashtop.MirrorDeviceDesc% = stmirror, STMirror_Driver....[stvideo_Mfg.NTamd64]..%splashtop.DeviceDesc% = stvideo, STVideo_Driver..%splashtop.DeviceDesc% = stvi

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):12008
                                                                                                  Entropy (8bit):6.040343349200973
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Ddg2s4nYe+PjPGr9ZCApkT1rrZgjldrXa+v5lPr9xu5eF:Di2hnYPL/p1P6j7rxbF
                                                                                                  MD5:46DF2F9B00DA96B8603F472EC4BEB416
                                                                                                  SHA1:AFB25F23A849DAFECA73DFA6B0DF428619F6224E
                                                                                                  SHA-256:8196CA7ED6BF904E00E2A2955AC8288801AA3983384268D5DF85F52AE10FC974
                                                                                                  SHA-512:0284D0D1A025AED097C375343018DF023A7058CF741BFDE9D97DC647548BD18C05B068268818E6542954BDBB1FDF0B992277C565865A2084DF9BFA2E33A9FBDC
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....................................................Rich....................PE..L...'.9S............................>@....... ...............................p.............................................P@..<....P.......................`..0... ............................................... ...............................text............................... ..h.rdata....... ......................@..H.data........0......................@...INIT.........@...................... ....rsrc........P......................@..B.reloc..V....`......................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):57856
                                                                                                  Entropy (8bit):6.214858942297855
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:T6pztvRXL6L1T9mV0OTpJoNGDP5t2IhmX+o:T4tmL1EXCNGVt2IhmX+o
                                                                                                  MD5:3B83E955AB0C3A815E0ED69EB6407C52
                                                                                                  SHA1:995657C40BC9A28D36AFEA59FE8549B916F81B95
                                                                                                  SHA-256:0C2EBB467661D404BCA91A080CCA0E5836797EFC474B62A3D22FB3419E3C8B52
                                                                                                  SHA-512:1943EB1AFE81116657CBB33E87C7683CCF6D9EF22F59E5CEE840705E486A176DB5A7D67114A46ECDFC47A1B351F94DDEC72A05BDFB29CA6709CC696D877FDEBA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........X..SX..SX..SQ..Sz..SQ..SH..SQ..S;..SQ..S_..SX..S...SQ..SZ..SQ..SY..SRichX..S........PE..L.....M.....................D....................@..........................0......|.....@.................................T...P............................ ..@...p...................................@...............(............................text...4........................... ..`.rdata... ......."..................@..@.data....+..........................@....rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):542216
                                                                                                  Entropy (8bit):6.466753301083591
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:TXL84WA5C/KIcgHrlti0XoppdpRFT/FKf51PnofX09v:TXL84lopcgRti9FT/FKvnuX4v
                                                                                                  MD5:BB241F864550BFA8AD2346C65E0CE41C
                                                                                                  SHA1:378769EE7D6CA44554103E6A23F1BD20BB9E2564
                                                                                                  SHA-256:58C4394BBE98BA2B9344209CDC98F5DB854A385ABEB4C74BD111B0ED661D1D61
                                                                                                  SHA-512:68CF0A4CC802A10C218B3155D427DA5DFB6EDEA7671A41D016A5844011896C84490123E008CDAC2A4C5C60150B777F6742BA47A95050DFC1DBDEE20E332765EC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s.gS..4S..4S..4.`.5Y..4.`.5...4.`.5I..4.l.5C..4.l.5Y..4.l.5...4.`.5B..4S..4...4Gm.5Y..4Gmh4R..4S..4R..4Gm.5R..4RichS..4........PE..d......e.........."....$.....B......p".........@....................................9.....`.................................................d........p...........A.......(......D....&..p....................'..(....%..@............................................text............................... ..`.rdata.............................@..@.data....5..........................@....pdata...A.......B..................@..@_RDATA..\....`......................@..@.rsrc........p......................@..@.reloc..D...........................@..B........................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2816416
                                                                                                  Entropy (8bit):7.82236063017737
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:wVaHMTDMmyUZe4RF+A8LO9Us1BXEne0Nxx4kta2R74IIjvmIFe5mxoDpuBw1s31n:wVTuERKy9v1BXEne0Nxx4kta2V4IIjvZ
                                                                                                  MD5:DF362B11095D0F59ECF9DDC0DAF61B12
                                                                                                  SHA1:6BB3B490F048FD1306D714651F6C2C488BC318D9
                                                                                                  SHA-256:BAFA22DA91BF2B44E4EFBBDFB8D7FB64B6F8A04569F2737EA49C384CDAD193F7
                                                                                                  SHA-512:0A03BBF0DEF16E78556041DAC5EF003957384C37F07B08EBC0917921DC30189C2E3CFF7F91F369BD7195A8EE3E84D194113F0D889897C5679DEA263F27821FFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d...2..e.........." ......*...... ..0.I..0....................................J.....v.+...`...........................................I.\.....I.<.....I...... G.......*..-..,.I.............................(.I.(...................................................UPX0..... ..............................UPX1......*..0....*.................@....rsrc.........I.......*.............@...3.96.UPX!.$..c-rX...OI>H...*...G.I..l....H....F........@.AWAVATVWUSH.. A..|.........................f.....{...... H.5.....}..g1..H..>t.(...%.....?..v......=u.f=.....<......"g.|.....w..H....M..I..eh.%00.....p..P.7...t$H9.....-...=.uv.T...5!..u......f....,...>.u....H........#.a.2...&/.d......[..a.D...R....t.L..A.....{..O......E1....D.....m. []_^A\A._.a.y(.p...f.._....Uc(L.9^A..1>l..t....y..v.....z....G..w**.....$(...SW...)...,...."[\...=...2s.....E....F1...&;..v....y.wp.....t#.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):465928
                                                                                                  Entropy (8bit):6.6188868975232875
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:nmELSchToqY92QUOMIsV7iPSdutxml26jmlE662:bnAUF1pAb
                                                                                                  MD5:12A3EF8EF5D70994B9500FA0801F8903
                                                                                                  SHA1:C06C2AC1CC4B7D50DDFD36E32CDB2274618294B7
                                                                                                  SHA-256:520C5A35F943B06888A96339EB2B8B5BEEB70046B5835DC0190AF77B4E0824FC
                                                                                                  SHA-512:EF4AE07C1F2A636D57F5FA64505CE8CA581FAFD450DAC9FFAED69B84259BC21A3632E401577FA996C5C699352B07325CA7CB4CF82FD46E3C98E506E08B3125E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Lyqa...2...2...2.j.3...2.j.3...2.j.3...2.f.3...2.f.3...2.f.3S..2.j.3...2...2...2.g.3...2.g.2...2...2...2.g.3...2Rich...2........PE..L......e...............$.X..........7........p....@..........................@......B ....@.................................4............................(......t8...P..p....................Q...... P..@............p..8............................text....V.......X.................. ..`.rdata...A...p...B...\..............@..@.data....%..........................@....rsrc...............................@..@.reloc..t8.......:..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2581408
                                                                                                  Entropy (8bit):7.8335475472495375
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:bGF1tZkcS3fy3i9Ov8l6/kKkN6PLsCzvDxg7abakf35UXAtuwHgLYV1G4DW1L6Ky:bs1kcS3fy3pv8l6/kKqiLpPuabakf35n
                                                                                                  MD5:348AF13556E619DA13459047DAB625B9
                                                                                                  SHA1:6F3CB9022C715AFC6156A44A73D9D10147AB6CA4
                                                                                                  SHA-256:75BDBB78A7CEE839496A8E643E2E631D04E243C4B466F3AF7FCD8C8A01288807
                                                                                                  SHA-512:344C43F62910CF5D1B31AA3A17E0A581C438055D49DC59071574F3D1A500C0945AFE89C2AB54045140B4EB79221B5A7E0814056C5600055FD3A0D458436D9CC0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...[..e...........!.....0'......."...J..."...J.............................. J.....+-(...@......................... .J.\.....J.......J..............6'..-..|.J...............................J.....................................................UPX0......".............................UPX1.....0'..."..*'.................@....rsrc.........J......,'.............@...3.96.UPX!.....'.tl..8..I..''...H.&...o...h.>e....`....f.USWV....D$........tz....M".R...-..........5..p..a1....>t...."}..........h.....9u.=s.Z.^.......>..6...........nd...h.v...k../...t 9.t....{3m.7.u.-.E.n..~.u.j..."L.".}u......2e.J ....PQ.......k.PC..$...z........X.IL.6t......t$.j.....C...1...........^_[]...V.L$.TJ...$......a...P...^^Jf..4...?......UX...._/............F.^|.<.w&.VW...v.t...v%.!."LqO...."..9...,...WJ.d.....)Rj.s...W.h.G]....qA..<$G...C*.+t..G.#..@?.1?.....x7....$./...h..".ul......

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3116552
                                                                                                  Entropy (8bit):6.392745373577217
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:bPZ5TNGpStg+wTMz3Q8giStLONyAppqk8W+OcVpcL0865eGzYPcL1l:gtMziR8k1DcLv6xL1l
                                                                                                  MD5:9CA925B6A0CFA7F8B0222233B3494D05
                                                                                                  SHA1:20EF67FDEA63178B92D2BF4755C02687DC9D9022
                                                                                                  SHA-256:5C66BE5F5D9A8CD7CBD5F31EF3AAFE7A422186E9B21AC564B58362508BF0583A
                                                                                                  SHA-512:FBF69CAB559363EE0C16E4F04A7A3BED101B1B7D96383D2E092DE6EED505522CC7D1FEA1900FB0A63293BDEE34A5006583A1540D61043439CCE4EB12FF505879
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......)r.3m..`m..`m..`.a.aa..`.a.a...`.a.av..`.g.ao..`"o.a|..`"o.ag..`"o.a#..`.a.a`..`m..`...`.o.ae..`.o.al..`.o{`l..`m..`l..`.o.al..`Richm..`........................PE..d...)..d.........." ...".:...`......l^......................................../.....M.0...`..........................................,.X...(.,......0/.h....P-......f/..(...@/.H... .*.p.....................*.(.....*.@............P...............................text...|8.......:.................. ..`.rdata..ZM...P...N...>..............@..@.data........,..p....,.............@....pdata.......P-.......,.............@..@_RDATA..\.... /.....................@..@.rsrc...h....0/.....................@..@.reloc..H....@/.....................@..B........................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32264
                                                                                                  Entropy (8bit):6.549378989734658
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3mFO3OkMgk4tx/knVGuOA0R2dEpYiTPxchfU49:3SO3trenVODR2W7TPxchfUg
                                                                                                  MD5:48C3A4A2FA37A0BFC5BD90874A63AF44
                                                                                                  SHA1:27A3FBF2603B36DD972401CF8B976FBC282A2C3D
                                                                                                  SHA-256:3822BE932AED0A6E5C5A9F3CD80440AD96C8248F187F67324221A58AF5276296
                                                                                                  SHA-512:F261A54AF5B0204B8018B5844CDDA6BDC1F399AB3375BF171B8E7081A9BCA583D061F7182EA140E5E2A9E42916C78C2C7256AF516B15EC16AD51AD8ADFBC57EA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:..:..:..u[..:..BX..:..BN..:..BI..:..B^..:..:..:..BG..:..BY..:..B\..:.Rich.:.........PE..d......d.........."......*...(......,0.........@....................................<.....@..................................................L..d.......l....p..D....V...(......L....B...............................................@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........`.......D..............@....pdata..D....p.......F..............@..@.rsrc...l............L..............@..@.reloc...............T..............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2403848
                                                                                                  Entropy (8bit):6.7207202597413875
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:FgGdcX0zBXVSNi2z4xw4G7NyzRP1ikMHeBNWHr:F4X2ikxwTNsi7
                                                                                                  MD5:4CF09B45FEE4FD22DC22B0AF706E4D80
                                                                                                  SHA1:86A6E08A3F7C315F1FDE9A9499EE91EE6A0F1407
                                                                                                  SHA-256:4D925CF495ED97B7B73F7A93B01F7C529B55EB4581479120D235DC9263D06A3D
                                                                                                  SHA-512:FD4B8E15B5A2C0B5045F039E2498D1CEFA5BB4913E302C56E6B84526279D36378D87E9269435B5AF644BA019CF056BF47E818F192FDD9D35F1AC8CF8D6DDD531
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......|.q8.."8.."8.."...#*.."...#..."...#/.."...#:.."w..#).."w..#!.."w..#s.."...#5.."8.."..."...#0.."...#9.."..%"9.."8.M"9.."...#9.."Rich8.."........................PE..L......d...........!...".............W........................................$......$...@...........................".X...8."......`#.h.............$..(...p#..o....".p...................@."......".@............................................text............................... ..`.rdata..............................@..@.data...pr...."..N....".............@....rsrc...h....`#.......#.............@..@.reloc...o...p#..p....#.............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29192
                                                                                                  Entropy (8bit):6.708144938787245
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:EJVI3R0H/aWeIUhwNslRPbJyRefvcO+mVMWehLNyb8E9VF6IYiTPxcbdGgktyVEF:EJKMC8NsLPtxcO+AMPlEpYiTPxchOF
                                                                                                  MD5:A958758134E6D61D45BA0C4968380A8B
                                                                                                  SHA1:F40142518B13782CD2A06844CD8147B337E459DA
                                                                                                  SHA-256:30FD28720C7235F45140ED0642A4C71FF0DB1E93362D5694D87026DDA14992F9
                                                                                                  SHA-512:1645C335C36AAC6A6BD2A74E41F7176776E70B696705F491CA8CCD6E99A54C3ECBC52E8BA081E9B0E57F5C08E0546D5302A7D28D72C350EC08446D54457360D1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U(...I...I...I...Z..I...1Y..I...1O..I...1H..I...1_..I...I..sI...1F..I...1X..I...1]..I..Rich.I..........................PE..L......d.................&... .......+.......@....@.......................................@..................................F..d....`..l............J...(...p......pA...............................C..@............@..H............................text...K$.......&.................. ..`.rdata.......@.......*..............@..@.data...0....P.......:..............@....rsrc...l....`.......<..............@..@.reloc..4....p.......D..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):107312
                                                                                                  Entropy (8bit):6.447984928648711
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:BTeWLZrzci/8dbquofWnRADp2y6hX2hbTYzLhrhkphDZ52DBXN+vl/DFS:BCWFfqbqaGnGzLhr82DBXN+v2
                                                                                                  MD5:BCEF2D42768A816AF7CD60391CBA3C0E
                                                                                                  SHA1:E17EC512C595318DC5F282CB73B71CFCB0B52A7E
                                                                                                  SHA-256:0EA236D80EFFA865F73E728D06790AB5583660EC915C979E8D96CAF692B6FE80
                                                                                                  SHA-512:389B36A464C417AAAE16A229F004A01D4F1EBC8F3D8E8A4D12B5AA82D9BA5EDE4A139B3999BAF1D9BF862D3B4BD5A6A0D89CC0A3561E8CA15EF19AA771DEE475
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r...r...r...{...f...{.......{...D...{...}...r.......{...p...l...s...{...s...Richr...........PE..L......U.....................l.......W.......0....@..................................0....@..................................\..........................0............2..............................@N..@............0...............................text............................... ..`.rdata...6...0...8..................@..@.data....-...p.......V..............@....rsrc................h..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):76752
                                                                                                  Entropy (8bit):6.281018016209332
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:TMM1hIpiOe7unK1L0RW7Z4tk05ZpJBkkmN6/2EvK6k:TMM/hOeSK1DZ4tk0/B7OEvK6k
                                                                                                  MD5:8CED2B2F0E61A1BA20D63B24A41E1234
                                                                                                  SHA1:9731E2756EAB7A902DA1A72C0F1DC008425037C5
                                                                                                  SHA-256:44DB8AF61B92B39C805B136D2FB608D9D9082F051DDBD9AEE9E3A760B34EFF13
                                                                                                  SHA-512:087596DC595B786D74087BCEEA2F1A9B46F4EADCB1162201F32CB05B9BD207520C617AD849CD52788B5C2E579CF72B2B1BB7A5265D10B450B5E6FB8D17D1C07B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].mt...'...'...'v..'=..'v..'...'v..'q..'>+x'...'...'...'...'r..'v..'...'v..'...'v..'...'Rich...'........PE..L.....jP...........!................VE.......................................`...........@.........................`...........d............................@..P.......................................@...............t............................text...'........................... ..`.rdata...8.......:..................@..@.data... 1..........................@....reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):91432
                                                                                                  Entropy (8bit):6.020228136904558
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:5UBy2mcawf1jBALblIkWHgMCtd+DIO6iUY:SyNcRjyLKGMCtd+DtDUY
                                                                                                  MD5:B510DA2C973FEB05803F124D0507D3A4
                                                                                                  SHA1:8F1344CEF1DB998698E1467AD22E30ED3BCE584B
                                                                                                  SHA-256:A39DEBD7558B4E769AC277A7D05B532318AB7774490310F76BDFE9E55240D9CA
                                                                                                  SHA-512:AFC90D52B19B5E8186C62F5F1B720AB68EB34A997D3099824C7396FCC74D1ED76063BA1541FAAD999806BCFCC375909636E48EF36957157AAD766256B2999E6A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7.B.s.,.s.,.s.,.z...b.,.z...K.,.z.....,.z...`.,.s.-...,.z...w.,.m...r.,.z...r.,.Richs.,.................PE..L....^.R............................@9............@..................................?....@.....................................x....0..x;...........L..(....p..X.......................................@...............x............................text...7........................... ..`.rdata..N0.......2..................@..@.data...............................@....rsrc...x;...0...<..................@..@.reloc..z....p.......2..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):170960
                                                                                                  Entropy (8bit):6.545608024132094
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:k4UWlA7/ZJoE1s76gv/vKnGStqzWTBflx+FOGqK1:PY7/3s76ginGS4zWTBQv
                                                                                                  MD5:27CA510E2DDFE647F742F98C2EC6A7F7
                                                                                                  SHA1:1F422E39770D9565460F881D078D8C335B678255
                                                                                                  SHA-256:41BA7791F830EFBDF5F942A0B6DCF98C6A7D37B7DC06EED21F86AFBED0215C9A
                                                                                                  SHA-512:ACBF7A23FB033ADB314466324AF6D1C6F543F6FADB6439B3E80F35467432754396667C9CA511A4D8AC3178BB51CD61EA3D94755436EFA9231EA362282C5FA2E4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9..Kv4..9...A7..9...A!..9...A&..9...A1..9...9...9...A(..9...A0..9...k6..9...A3..9..Rich.9..........PE..L...8-,Q...........!................L3...............................................h....@.........................@[......(S..<.......|.......................0....................................G..@...............l............................text............................... ..`.rdata...k.......l..................@..@.data...87...`.......J..............@....rsrc...|............b..............@..@.reloc...............h..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):103432
                                                                                                  Entropy (8bit):6.507042602680481
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:W6HdKQFG0im9CyE0rWB4f/j7rvHLoFbGugan639SNxsWb8cdrewxJ1oz2BxnI7Hr:RHu0im80GM//rvHiP6tSDr1J1DxnIrj
                                                                                                  MD5:C206EC43716412F6EF3D34E982DB52A6
                                                                                                  SHA1:3F9107DD8E7D22BAD64D93B73CBAFC05FB784978
                                                                                                  SHA-256:A1405EE37B7332E6C5EEF536E3682579C6D32D04E7B35C63E3B5C6E470F4DC43
                                                                                                  SHA-512:37DD1DFB0485C912AA540F2223C6B721F125F5C8A07A6D1C822A690AD96211218FE9365FD0AD8A9540A1DF34F5BCA50F308A7F26E5032D2DA6F81C7C55377976
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......q..r5.!5.!5.!. ?.!. ..!..n!7.!3m. '.!3m. !.!3m. ..!. #.!. ".!5.!..![m. 3.![m. 4.![mZ!4.!5.2!4.![m. 4.!Rich5.!........................PE..L......f...........!...&..................................................................@.........................`Q.......R..P.......x............l...(......T....A..p...................@B.......A..@...............l............................text...z........................... ..`.rdata..Jk.......l..................@..@.data........`.......H..............@....rsrc...x............T..............@..@.reloc..T............Z..............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2032648
                                                                                                  Entropy (8bit):6.729617797377189
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:PSkcdKH5rIZ/iMdG44DhONCm/HZigKqiuBzxCdfHmsMOG/fh+WyCkVRG1RruS:PtUKH5rCiMdAPm/ggKqiuBEEZ
                                                                                                  MD5:BEC6156158A67602B09CF0DA73030C97
                                                                                                  SHA1:7D3B3F04B1B0687C2F57B4EEF16025E5B510078A
                                                                                                  SHA-256:915AB66486EBC2D53E00FB67009E9075F5F38362EC9991DEA0EDD22E1F376B85
                                                                                                  SHA-512:83A9DB2A90BF15FBFAA11FA22CA360645B0DC75DFD6EC78CD8E92D1545B25661338D748B2BC135382E46CE14825E4C1E93AC08F5F9D7C357FF60FE1748F06A3D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......./...kq..kq..kq......zq.......q..b.&.jq..m._.jq..m.~q..m.qq..m..q......wq......iq......Nq..kq...p.....q....].jq..kq5.jq....jq..Richkq..........................PE..L.....f...............&.............C............@..........................0......,n....@.................................t...T.......P................(......HD......p...................@.......8...@.......................`....................text...|........................... ..`.rdata..V3.......4..................@..@.data........@...j...&..............@....rsrc...P...........................@..@.reloc..HD.......F..................@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2834952
                                                                                                  Entropy (8bit):6.539664758973578
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:umSsYqrQaFT1BlliPYksB+zAAWTnlOSF+5T3Yr81C2MThk1kHW1l1R:umSsRbBriPxv0AIlOSF+5T3Yr81C2PSm
                                                                                                  MD5:1F7098CEB237AEEED163E9756BBB90A2
                                                                                                  SHA1:BA3B3CE92EDE19D79D8590F14DF6360CEF45BC0A
                                                                                                  SHA-256:FD546CA96FA59E9E230C971F1EA8300671626B3E539DA38229FEF2D31DF39E37
                                                                                                  SHA-512:EB7EC85184EEBFD80F81CA7FD357F1F069B3B3C8EB67C1399E39B26E088CE8ACAECBB7F3F303E2493D86F26BC554C45B2B09D902FE011F1D16ACECC22E9C42A2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_...>..>..>.{L..>.{L..>.{L.q>.{L..>.{L..>..>..=.....>.....>....=?..FV..>....>..*..>..>B..>....>.Rich.>.........PE..L......f...............&.t........................@...........................+.......+...@...................................!......."..............+..(...@).._.. ...p...........................`...@...............L............................text...Es.......t.................. ..`.rdata...-...........x..............@..@.data.........!..n....!.............@....rsrc........".......".............@..@.reloc..._...@)..`....(.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):530952
                                                                                                  Entropy (8bit):5.635258243014462
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:BLuEfa1wzyLFLdpirf61es7BHiUG9CrtiU4/+kwltmfjLvr:wEf9zyLF5UwiUrvQ+kwKjLT
                                                                                                  MD5:DB58A250AF70BE2601B780E38954CAB8
                                                                                                  SHA1:5778BAF30357176D48716B4B26F38EB50EDDCD38
                                                                                                  SHA-256:EBCF29B4EABE11BA7C3BB144C0ED56F3436DC0DDB444FEA9ED46D3DC65EEF2BF
                                                                                                  SHA-512:FDD880568235ED4817678223176E76F19EBAE59117C8A03AF146594D0D231D87B8C9530D9D0EE4A13AD28063BDD79F6A8B17DC5E45429F06C85B189971BCE8E1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........D...D...D.....O.........B...P...B...S...B.........\.....a...D...z...*...Q...*.W.E...D.?.E...*...E...RichD...................PE..L......f...............&..........................@..........................0......q;....@.............................................(................(.......(..0...p...........................p...@...............,............................text...=........................... ..`.rdata..............................@..@.data...H#..........................@....rsrc...(...........................@..@.reloc...(.......*..................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2856456
                                                                                                  Entropy (8bit):6.5272320223066655
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:yxNLfsfB4HLnvkoRImtbOzNSv7kgYNaN/AS2X8bVD91kHWj0f5co5G:yfzKB47hImIzNSv7nYNm/AS2X8bbSWQi
                                                                                                  MD5:A490F9458C33BD398784F2A279191FE5
                                                                                                  SHA1:75608EFD13EC19A2BD9ADAF4A3C213FE8B56B58C
                                                                                                  SHA-256:A4291F8933C7C7F86F41B6D8C55B38B32D423CA2DE2FD849BFB34CFAA3A423C9
                                                                                                  SHA-512:7FE5000E801E23D7F606B44E630069B3B1DA3610B7F24710DFC45692D5C1F630CAE0008CE7EC64F943725A33A290FD22621DEC7FF0B22496A7A8A79F95777F3D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z...z...z.u.y...z.u.~...z.u.....z.u.|...z.u.{...z...{...z..:~...z..:y...z..:..0.z..:s...z..:....z.....z..:x...z.Rich..z.................PE..L......f...............&.R...r.......I.......p....@...........................,.......+...@...................................!......0"..d...........n+..(....)..^...+..p...................@,.......+..@............p...............................text...?P.......R.................. ..`.rdata.......p.......V..............@..@.data........`!..l...<!.............@....rsrc....d...0"..f....!.............@..@.reloc...^....)..`....).............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2847752
                                                                                                  Entropy (8bit):6.646321260816477
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:hUgpR+7j3bGHrQcZ3nEiNd1fcpV8IjaKQXRoiQztOhvduynwtDWNOIuXm1:KgpR63bS06d1UpV8IuKQXRoiQztOhvdD
                                                                                                  MD5:D594E5BBE16CE8113E6DF65D5465BD8B
                                                                                                  SHA1:0BD07C53236027E0166A50C367ACCE705044D094
                                                                                                  SHA-256:8F4EA2D03D82EFEA0E5BC5D9D8C9ECF9295ED44D5CCB04B6B09B2458A0D6D15E
                                                                                                  SHA-512:22CEE98B633A0BE3276294BF484F20EA5AD02AEC51A772151AAA4430ACBF395ACECEF7EDDCB862B0BDA27784A1EB502497C1FED18620FF08952209814B0930F7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#`..B...B...B...0...B..o....B..M....B...0...B...0...B...0...B...0...B...B..nA.......B.......B......LC......B......B...B...B......B..Rich.B..........................PE..L......f...............&.l...J......kt............@...........................+.......+...@..................................9!......`"..............L+..(...p)..d..pI..p....................J.......H..@............................................text....k.......l.................. ..`.rdata...............p..............@..@.data.........!..l...n!.............@....rsrc........`".......!.............@..@.reloc...d...p)..f....(.............@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):126984
                                                                                                  Entropy (8bit):6.665230260582452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:35P5B8wltn9s2x5eSeKiifjo2QqEF+bppW1rHIZkrMc:315ds2x8Szi6jo2Qbx5ikrv
                                                                                                  MD5:A84334EDD4524897AEA6A3E48AEE1370
                                                                                                  SHA1:8505D4B14647D44CBB2F6E7B9F03B2B96840A920
                                                                                                  SHA-256:40EEFBA6B13C35261CBA798DFB07F87A1F314879C3B381DC19BD2F187C42F2B1
                                                                                                  SHA-512:7C46A7B483BF0F3889CD4DC882E3739769DCA2476F8970BEE73C6FF823716CBD814D8AAE51CE9DB31D4EEC559D8C1BFEB6188B6CDAACF3E47D497A643390C6BE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................'......'...|..'.......H......H......H.....'...........H.....H.....HX......0....H.....Rich...........PE..L...L..f...........!...&.,...................@...........................................@....................................(........................(......4...(...p...........................h...@............@...............................text....*.......,.................. ..`.rdata...u...@...v...0..............@..@.data...x...........................@....rsrc...............................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2847752
                                                                                                  Entropy (8bit):6.646331125534745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:gUgpR+7j3bGHrQcZ3nEiNd1fcpV8IjaKQXRoiQztOhvduynwtDWNOIuXmq:jgpR63bS06d1UpV8IuKQXRoiQztOhvdQ
                                                                                                  MD5:C3CF8A2B74EFD52301A7E2B60562B88A
                                                                                                  SHA1:EDA9F8F3FCD25698942565698E9806146C7FEE98
                                                                                                  SHA-256:C3AF403890050387E49BB87F2ABFEEB71BFC1F2AD734F19DDCA4B559DC721CC4
                                                                                                  SHA-512:FF24B018A7DC6CC6124B488BB91CA34455595A6E7C3AD49678EFF063ADB922502F2577DAEABAC0E4578E058C53DA23E06EC91D45BA48BA3E1EBDC080FD2F2916
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........#`..B...B...B...0...B..o....B..M....B...0...B...0...B...0...B...0...B...B..nA.......B.......B......LC......B......B...B...B......B..Rich.B..........................PE..L......f...............&.l...J......kt............@...........................+....._.+...@..................................9!......`"..............L+..(...p)..d..pI..p....................J.......H..@............................................text....k.......l.................. ..`.rdata...............p..............@..@.data.........!..l...n!.............@....rsrc........`".......!.............@..@.reloc...d...p)..f....(.............@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2462728
                                                                                                  Entropy (8bit):6.459851104824016
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:SMeSnmrodNwPmDeRluqd5RQIVezdmMYilzviNx1Owj9Kh2PY6MZcqqyJk1kHWFW:SMe5rQNw5ew5zVezdmMYilzKNx1Owj90
                                                                                                  MD5:FD682F1C6DB26119E5A5C8CD947A6FCB
                                                                                                  SHA1:B2CC6A6EE4DE7E313A867AFC3251C076CFBC5DF0
                                                                                                  SHA-256:8A1E78F34144613A5F53FDFC5BDEA1B906E4254FEB6828278BE3EF012B050757
                                                                                                  SHA-512:9DB7D8E41AD60373F5A34888F66594CB822A0492CD80D6199809AC9E41170030B6C758F063129CDEBAD5BBFF01D6E5290D71C314B026F16CCF193B5071FFB6F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........B..B..B....X....a........C....o..B.....DS..W..DS..U..DS.....,S..T..,Se.C..B...C..,S..C..RichB..........................PE..L......f...............&.8...x.......r.......P....@...........................%.....w.%...@..................................*..|.......h............l%..(....#.x.......p...............................@............P..$............................text....7.......8.................. ..`.rdata..\....P.......<..............@..@.data...@....p...X...P..............@....rsrc...h...........................@..@.reloc..x.....#.. ...L#.............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):142344
                                                                                                  Entropy (8bit):6.179488799230379
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:aIRS31UwelTwwoJChcq6UfS/Hqvo+h34cD8DUsWjcd7LX1rd1eC404jaVV7HxOh8:aIvMg6MSqV4bPld1eC401TN
                                                                                                  MD5:F3D3C87B836D2DE41F58E94B079FAD91
                                                                                                  SHA1:F9851BB7165F4C0588E6FA5BC4D90457B6726A9B
                                                                                                  SHA-256:1025A1B6AC27BDEEB58027C18F76E1BF9EBD3D5C4FF4166E63436988EF1FE187
                                                                                                  SHA-512:626D4B3DF71130E2514A96D3557176BE31E5357948ACE5226995311E63A9B75F3B20F1C86ACA0FBE9DE57C005595FEA04E365B863759866A7D2FD000CBFBF0E1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...6...6...6^'86...6^';6...6^':6...6...6...6S.L6...6..&6...6..?6...6..<6...6..b6...6..96...6Rich...6........PE..L...+..f...........!.....0...........^.......@...............................@......4.....@......................... ...}...$...P.......x................(...........A..8...............................@............@..d............................text..../.......0.................. ..`.rdata...~...@.......4..............@..@.data..../..........................@....rsrc...x...........................@..@.reloc...7.......8..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):94640
                                                                                                  Entropy (8bit):6.423065206229182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:iYqYiH1S4d7O6R/S4Ka2ogPgz8KT9Tvx2+wAZLvva24:dqYiV+2Su0wTvI+wwva24
                                                                                                  MD5:F6F00886EE605DECD561BD3465151BD5
                                                                                                  SHA1:2585353A6B42041244661D260CA7885E269A38C6
                                                                                                  SHA-256:126EE74EF2F420292FA5FFC120851D8B62854253568483FCE0DFA4B30F25E0E4
                                                                                                  SHA-512:A919E02F81520D285F769CF7E92EE25C85F2EB1949A29FFF022328E10937AA779477D6641F98EAE6720C0986B46240B7B3442693C4FBA0F70E0EA17E3517BB2C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h0...c...c...c...c...c...c...ca..c...c...c...c...c...c...c...c...c...c...c...c...c...c...c...cRich...c................PE..L...Tn.^...........!.........f.......T..............................................u.....@.........................p3..|...h+..P....p...............Z..................................................@...............\............................text............................... ..`.rdata...3.......4..................@..@.data....,...@.......(..............@....rsrc........p.......:..............@..@.reloc...............@..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4827144
                                                                                                  Entropy (8bit):6.619100970044717
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:4cfxU/i/TqDXIuIkfsxc8x1fDcSIlIPXRV5h8zyESiInINWNy+N9zIcpqh4T1l63:5fxU/i/TqDXIuIkfsxc8x1fDcSIlIPXO
                                                                                                  MD5:22E13B497D1121567C2AE226C6D47445
                                                                                                  SHA1:FD8F50AEF2DB48F519650430E1B5A735C2679534
                                                                                                  SHA-256:DD9D4F8A07200ACAAE5BC4A9EBDAFF2351849B32400807AABB1DE20A20C73EA9
                                                                                                  SHA-512:E38565C9E74246BDB0D34CA7D0595711BEFAEA59E2CECDA9329D3CFDF5A5DD298D0F47BCC57C056A82D1E18059A8B5D409DD05A507D3DF0528D48A201718BB47
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$........{.m@..>@..>@..>.h.?l..>g..>_..>@..>...>E..>L..>/l.>A..>g..>H..>.D.?B..>.D.?B..>Ib,>A..>.f.?Q..>.f.?P..>F.U>A..>F..?V..>F..?\..>F..?'..>.h.?f..>.h.?...>.h.?A..>.h.?q..>@..>...>Ib+>F..>...?...>..W>A..>@.?>A..>...?A..>Rich@..>................PE..L......f...............&..?..z......+.:......@?...@...........................I.....=ZJ...@...................................C.......D...............I..(....H..:..p.B.p.....................B......&A.@............@?.....D.C.@....................text.....?.......?................. ..`.orpc...e....0?.......?............. ..`.rdata.......@?......"?.............@..@.data....e... D..J....C.............@....rsrc.........D......@D.............@..@.reloc...:....H..<...DH.............@..B................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4827144
                                                                                                  Entropy (8bit):6.619105757532515
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:ocfxU/i/TqDXIuIkfsxc8x1fDcSIlIPXRV5h8zyESiInINWNy+N9zIcpqh4T1l6a:JfxU/i/TqDXIuIkfsxc8x1fDcSIlIPXf
                                                                                                  MD5:7C7CA9728B17F0084B2EA765384612CC
                                                                                                  SHA1:20135586A6C38EC6C8A777AD0F83E4E4DF77C9A5
                                                                                                  SHA-256:9E12DBF2A16E2CDE23A9B0F85863C5C2C7DAA5A91A626A188E7E4ECCDC385C77
                                                                                                  SHA-512:96AF7B0ED6AF8868464663DA6AE735A693A3B409DBB786DEB3EEEB8CB8242C7770E729E03A8C4A0672690C5D994A73AE0D788C38D7B45869897900E7ED39B74E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................p...........!..L.!This program cannot be run in DOS mode....$........{.m@..>@..>@..>.h.?l..>g..>_..>@..>...>E..>L..>/l.>A..>g..>H..>.D.?B..>.D.?B..>Ib,>A..>.f.?Q..>.f.?P..>F.U>A..>F..?V..>F..?\..>F..?'..>.h.?f..>.h.?...>.h.?A..>.h.?q..>@..>...>Ib+>F..>...?...>..W>A..>@.?>A..>...?A..>Rich@..>................PE..L......f...............&..?..z......+.:......@?...@...........................I.....6.J...@...................................C.......D...............I..(....H..:..p.B.p.....................B......&A.@............@?.....D.C.@....................text.....?.......?................. ..`.orpc...e....0?.......?............. ..`.rdata.......@?......"?.............@..@.data....e... D..J....C.............@....rsrc.........D......@D.............@..@.reloc...:....H..<...DH.............@..B................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1867272
                                                                                                  Entropy (8bit):6.692254498803176
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:fa4mao1Xnaau+SDlHnqTVI6y9ThIVaior9ns:fa1B1q/+SDB2m+
                                                                                                  MD5:49C644E6E216BD7DCEF4EB7154D84E3E
                                                                                                  SHA1:E0CF8E3EF61A5F20852D007DEFE52F15BF7C985B
                                                                                                  SHA-256:4C30BB3BFB2F8BEEA56A7A4C7253F7F10A94E1EAC71B434BD59AEBF2C4148E1A
                                                                                                  SHA-512:DE65AADFDB47457EBB719E71F44BE802A16A6FD1DF6D38D5E242C3FC1E062DF0981CC679277B0AA26BFF3727F29B437EFDC0FBF6AA177F348B1CE080AB838ADE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$................o.....o...d....................eg....e.....e.....e....o.....o.....o.......N........e..?..ee..........e....Rich..........................PE..L......f...............&.r...D......k.............@................................. h....@..............................................6...........V...(......$(......p...............................@...................d...@....................text....p.......r.................. ..`.rdata..&M.......N...v..............@..@.data...`........0..................@....rsrc....6.......8..................@..@.reloc..$(.......*...,..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):330248
                                                                                                  Entropy (8bit):6.7899102550791
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:4aXIREBEBRS1izV0CyJ8XytTl4jqNzmCPOIAOvQ10:kEhCyCOiqNxjRE0
                                                                                                  MD5:7C3B0175C350E6AEA7C5F4F331FB7457
                                                                                                  SHA1:46FE50380B66C64A98B08017DC0D8566D9B22847
                                                                                                  SHA-256:A83CDFC6ADDAC319E9CF2F950958DB790CA430F96D900B5205828EBE9B2829A8
                                                                                                  SHA-512:4B3972EB174AE834B39F34D51D19ACA9EACE14CACC54D0314DFBDE8B38C2A0514E81B5861BEE9CF8465313F6B98DB31B0C2D314B052CC8F5CDF58C7AF7E61AAC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V..y..*..*..*.Vc*..*.Va*d.*.V`*..*...+2.*...+..*...+..*..r*..*...*..*..*F.**J.+..**J.+..**Jm*..*...*..**J.+..*Rich..*........PE..L...S..e...........!...%.V...................p............................... .......5....@.....................................(.......0A...............(...........}..p............................|..@............p...............................text...XU.......V.................. ..`.rdata..n....p... ...Z..............@..@.data................z..............@....rsrc...0A.......B..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):649008
                                                                                                  Entropy (8bit):6.592395353162998
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:EevXOcMAzEExDWdMoe3BlkCwkupdTyu7XAgBn4Dy:9ecPzEExCaoeRqFkcTZjAgBnAy
                                                                                                  MD5:F8F5641394A455FDCC4E493ECCC7F012
                                                                                                  SHA1:02D12D3E6569EB3A669602AB12540DD509F7474C
                                                                                                  SHA-256:4B5051DDDB178BA71D1BFFF29D93693FC8DD73B3117A23E06BF6A3815CD7BA35
                                                                                                  SHA-512:BEC16EF02A11BC84A8B412B4D3F3142DC5532C88F8712C43FCF2397B4D0B6530D7DC7EBB512413C1E260711C0B5DBC454B8FE6E61886ED536953F8315C9EA74B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......nR.*3..*3..*3..#K1..3..#K'..2..#K ..3..#K7.'3..*3..3..#K..)3..4a0.+3..#K5.+3..Rich*3..........................PE..L.....U..........................................@..........................@............@................................. 1..d.......................0.......pY..`................................................................................text............................... ..`.rdata...-..........................@..@.data....`...@...$...(..............@....rsrc................L..............@..@.reloc.."y.......z...T..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4639240
                                                                                                  Entropy (8bit):6.427553985864784
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:7knkAp/RKEPPtjDFU/HnFSk2IyEWmoV7B2qTXSWJlbg:gRzdKGEWmoV70qdJ9g
                                                                                                  MD5:1B4BEEB773103E60A53321290E72C936
                                                                                                  SHA1:01C95888D3B737924310B93F7A6B59192B74E52F
                                                                                                  SHA-256:208C8EA7ABDDB3D78BDBD2DF1F7B1D91F19C80716472AB4CEA11A993F4BE0D4E
                                                                                                  SHA-512:B55D47571ABBEBC09AB223482D70157CB5DD100F448FD000C8750171003249010786368DDFFBE42956656E623D292589201034B2D32A41E8EEFC00D917705D41
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........K.6.*.e.*.e.*.eKX.d.*.e.RPe.*.e.RGe.*.eKX.d.*.eKX.d|*.eKX.d.*.eKX.d.*.e.*.e...e..>e.*.e...d.+.e...d.*.e...d.*.e...d.*.e..<e.*.e.*Te.*.e...d.*.eRich.*.e........................PE..L....f...............&.. ...&.............@ ...@.......................... G......!G...@..................................\'.X.....(...............F..(...PD.......$.p.....................$.....@.$.@............@ ..............................text...<, ....... ................. ..`.rdata...c...@ ..d...2 .............@..@.data.........'..n....'.............@....rsrc.........(.......(.............@..@.reloc.......PD.......C.............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.pem

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PEM certificate
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5262
                                                                                                  Entropy (8bit):6.05232077920498
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:LrdBs5tNThpCwTWYOHS2zkoGwhav1x6s7xPe47Oq1JmIyztq43ZEDRS4bcrkpk7:Hg5tNTDCdRoothav1xd7Be6Ositq43yY
                                                                                                  MD5:A8B2B3D6C831F120CE624CFF48156558
                                                                                                  SHA1:202DB3BD86F48C2A8779D079716B8CC5363EDECE
                                                                                                  SHA-256:33FE8889070B91C3C2E234DB8494FCC174ECC69CFFF3D0BC4F6A59B39C500484
                                                                                                  SHA-512:3B1FC8910B462EA2E3080418428795CA63075163E1E42A7136FA688AA2E130F5D3088AB27D18395C8C0A4D76BDC5ED95356255B8C29D49116E4743D269C97BF9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:-----BEGIN CERTIFICATE-----..MIIFVDCCAzygAwIBAgIBADANBgkqhkiG9w0BAQsFADAuMQswCQYDVQQGEwJVSzEf..MB0GA1UEAwwWU3BsYXNodG9wIEluYy4gU2VsZiBDQTAeFw0xNTA3MDYwMjQ2NTda..Fw0yNTA3MDMwMjQ2NTdaMC4xCzAJBgNVBAYTAlVLMR8wHQYDVQQDDBZTcGxhc2h0..b3AgSW5jLiBTZWxmIENBMIICIDANBgkqhkiG9w0BAQEFAAOCAg0AMIICCAKCAgEA..wAXrbbT7bxfdfXv4WpeKYQwEj+O5IbELiqJUnjtSL8dhSLjunEnT08eNngGtUbKU..K9UYvokPo4w9dV7ZF2SIVNLLhGINgWfKGjFEOC2HMMxF6/Npjps8UdO3zozZtDET..4InDRAPDAQDuJX2le8sbmwcN6viuMPHQH/zM4VDg86txN/ueO+MHK4PR41dxNU6g..Mi1w4rntp1/alPtJi49CmxkonTzoWZsRz4QJAUJxEFmI4/2C9fKNEdiQUazHIXc1..55qeMTyaLna1ElRl1hpqvH4N7FChuXkG3ncEQRBZr41MCCX1l6PX1MGmbu6CRmEn..dzyu2fKQdnJ2nLzOzNRBuhEv/1Jm0Sij7b0QSberPSw0BqbVOZKY4b93ZRlqrkoD..K8LxS2/DtBvoeHxbF6UV6e4xHOpPDLlOLyfi27LYipTDN3Bt9yxUzcerLMu5KhZG..US8Alv80m+pnnsoSE6C4WN+/iDeRS2K8/BxY1TyFNAYRnC1sVaqwT/0AWHamKmXI..siGuKNMNSOB/pMx+qMFmvdYLMG/FHz6kBghyaqAaSOAcHzU6JJEOmy5PfyJ1VEVT..5ZeHGhwJ6FebFVAbpyTVRslokF6N2BXUuflN8N0Rp/8d5kr8ncHgd4boM16nl+T8..NMjiA0DkFktJHxnIKUEUH0nAIimvRt6+VTGIiXiPZbMCAQO

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2511880
                                                                                                  Entropy (8bit):6.474952796610172
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:NmROzqLfJdQImVbsA+1p5xa1/GW69Qd/o7na6lla5SISrk5kZvjT1kHWWm1:YyqLxeICb9+1pzaH69m/o7na6lla5SIu
                                                                                                  MD5:6AA8728E3CCF6DC77CD5F8BB1606B23C
                                                                                                  SHA1:BD88659CF8411BD21F2D76A1FB7F44522D8E7E2C
                                                                                                  SHA-256:FBA1711F1F31DAA1C39FE49AD1E9984BB2F8C09D7C8B18FA2B1ACFBBF0F450C3
                                                                                                  SHA-512:248DA56FFF36EDF39191CAE03CE2CB35819E860FBFEA11539BEA6A46F23706BB98D2E3037152A19FDED6457D6B1105076A61907C2DC30396814E0446382411C7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........7.QtYNQtYNQtYN..ZOJtYN..]OutYN..\O.tYN.._OPtYN..XOxtYNQtXN0wYNW.]ODtYNW.ZOHtYNW.\O.uYN?.POYtYN?..NPtYNQt.NPtYN?.[OPtYNRichQtYN................PE..L....f...............&............gG............@...........................&.....iX&...@.....................................T.......`............,&..(....$......j..p....................k......0j..@............................................text............................... ..`.rdata...-..........................@..@.data........0...\..................@....rsrc...`............r..............@..@.reloc........$.. ....$.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):403976
                                                                                                  Entropy (8bit):7.913397085225153
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:ABn+r/1zHhY39LgwN7krdItd7YtjIRC67P/4HATggyTG:ABa/1zHeKbri0eC6zRggyTG
                                                                                                  MD5:4C534EB38F42BC64F08C33182156D8A1
                                                                                                  SHA1:EEBD8F8C323E50945A273F1C197E91A9BE17BBAF
                                                                                                  SHA-256:7FA2AA9E466E2F3B884D11984E3D68750CBCDDB033F02F8AAC4AEEF1EE02FAA1
                                                                                                  SHA-512:97D5182BB70E21C5C6E2D43AA62FCA5A171AED3D3AC97A623A6FC187590CE3595DDBBF8B82B969BE86EA0FED22C5447819A0F72B1304AEF1560BDFD5F0054E98
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......l...(...(...(...c...%...c......FP..>...c...?....P..)....P..9....P..0....P..f...c...%...(.......FP..n...FP..)...FP..)...(.l.)...FP..)...Rich(...................PE..L....P~f...........!...&............................................................?....@.............................T................................(..l.............................................................$.......................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):552456
                                                                                                  Entropy (8bit):5.861082788260862
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:kARoNkM3YHA77f8m8end5Xy+1kvI8k9W91iVXuXskIhnclJS:RoNxh8edk+1kv5K+WhnclJS
                                                                                                  MD5:24890653CF368C9517425823DC8D0833
                                                                                                  SHA1:20382E4DA8B3DC11FA149C56CA6340F235E24E20
                                                                                                  SHA-256:8C66B9490BF5E0AD06259D0CE9A3A79818ADE1421F2A0D441B3A2FA16FCCC614
                                                                                                  SHA-512:815D98FABA8B07B34A1561F7FF8851E5119702F79BEC08E70E0A8F5BFCECEF9EAE890B75546E8D910E0F2B025174DB0B127F9D2D6A32BC145A6951C6A40AFAD8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,..nh.s=h.s=h.s=..p<b.s=..v<.s=n%w<|.s=n%p<}.s=n%v<X.s=..w<~.s=..r<s.s=h.r=..s=.%z<c.s=.%.=i.s=h..=i.s=.%q<i.s=Richh.s=........................PE..L......f...............&.F...........=.......`....@.................................GI....@.....................................P........[...........F...(...`..........p...........................P...@............`...............................text....D.......F.................. ..`.rdata...}...`...~...J..............@..@.data...............................@....rsrc....[.......\..................@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2790408
                                                                                                  Entropy (8bit):6.513824440011559
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:Fi5406jawRY386kQXVom4G8Y7Mln4S+GlWXJYsGWwpt0eJy1kHWVXswZeJyP:M4069RY383qVPVZ7MV4S+GlWXJYsGWi8
                                                                                                  MD5:0883F496B5EB0B9CF4CB24BBE3D60160
                                                                                                  SHA1:11EA03EC46E9E2F4B7B8487B2091179629694D10
                                                                                                  SHA-256:E29FCA755C1FBEF55536B872B30C9D00CAFA1C46A5EDCE04393B0C1223EB6589
                                                                                                  SHA-512:93C64F37E1EB2DB9CB3FB74946F30AF94CB6F89F108CF573D76909FAA0FE2C44465815967429B29BBBFB6D4FD272AD0C8355FAB068A6F8503FF9860E219CE136
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........&w.....}o....&w....&w.'..&w....&w.......I.............................|.........Rich...........PE..L......f...............&.B...n...............`....@...........................*......f+...@..................................! ...... !..W...........l*..(....(.Xc..PG..p....................G.......F..@............`...............................text...y@.......B.................. ..`.rdata..P....`.......F..............@..@.data...t....p ..f...J .............@....rsrc....W... !..X.... .............@..@.reloc..Xc....(..d....(.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):170504
                                                                                                  Entropy (8bit):6.584358890743955
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:4bZwVL8XodHGBy7R9ayIrkTGmqgxlEahOAPCCI184A94CesE32:NYXRsR2YTGmhRhJFAsEG
                                                                                                  MD5:B68D5F67BD1FB013720F291D70C9D08E
                                                                                                  SHA1:19B9D7E3960B2E929F6B2FB08A4136C13C7BBAB0
                                                                                                  SHA-256:15AEAE1D6E0F9A66C081C786320486CF17FC10F26B6C486C74DF775B07791D58
                                                                                                  SHA-512:3323F2E06673AD436C57D9DD307DDADF5E4479A8EEFE56DBD0403BCDEA2176126DD344B28CC11F7C277DA46588B0866AA1B1AF4E7A0404D68E21E5981846C090
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u.............sf..a.sf..`.sf..E.....c.....b.u....f.....fa.t.u...t..f..t.Richu.................PE..L......f...............&.............C............@..................................M....@..................................Q..P....................r...(......@... ;..p....................;......`:..@............................................text.............................. ..`.rdata..F...........................@..@.data...4....`.......F..............@....rsrc................T..............@..@.reloc..@............Z..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):203272
                                                                                                  Entropy (8bit):6.606805717980334
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/A7YiJa+hGYsOhS+ixWVg0jbhm4381P7ZL0HelltPVhVsjigKYgQL0HDG07ds8KM:/A7YiJncMh5NA4MVdL0HeFVpQY57ds2
                                                                                                  MD5:E3D168D946A8D8FEBB39521D6F9E8207
                                                                                                  SHA1:EA48A18FFDA6336E8587635142BFC333770D31AE
                                                                                                  SHA-256:811BDC74EAA5935A23D931930F0804D7C234E8595DE81BEC26ADEACFF62BC446
                                                                                                  SHA-512:12BAC78A83BA30AFE4BEE40FAD25331FDF9BEAA8D232A71DCB05407BBFC443AE09739418D5B46D6020F531251BCBB2FB434FF8C564321180616446B7384A3B3B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[..:...:...:..$H...:.....:.....:.....:..$H...:..$H.._:..$H...:...:...;......:...{..:...:...:......:..Rich.:..................PE..L......f...............&............&........ ....@..........................0............@.................................D...........X................(..............p..............................@............ ...............................text...0........................... ..`.rdata.. .... ......................@..@.data...x...........................@....rsrc...X...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):333320
                                                                                                  Entropy (8bit):7.909775605022876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:2lc/Jz+v9TViX69NAqxVKhFcuUa/w28bgSl1FcXirkmMDt:wcU9oe61hFPqgSzrkmMDt
                                                                                                  MD5:562D29B934BFB893AF36F03CBA478AE3
                                                                                                  SHA1:5AA2D1A95EE82DADB2EE604E503CEAF3FBFDDD6F
                                                                                                  SHA-256:ADEDDB37D54E44F84BE0F3824A5C2E98EDF831D6E16836C4CDF34FC47DA4BBF3
                                                                                                  SHA-512:0E85A3BC34D44815442DAAECF910AE02216B28891D785C2C85072FB2824E0AC4056A658C76522C4659F5275F975F291C8BC9217856F52EF1DB6778069FCF8A20
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$.......5...q...q...q.....c...........f...V...c...q...K...t..`......{.....p...wR..p...wR..c...wR..i...wR..$.....f...q...d....R..E....R..p....R..p...q.u.p....R..p...Richq...........................PE..L....d.f...........!...&..................................................................@.............................T.......@........................(.. ...............................................................\1......................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):337416
                                                                                                  Entropy (8bit):7.910033827099534
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:jlsrxoLbx49G3x2MB7oUR71gg/wl12GSHU2eQHx+0lnPmDfYfG:B0dwUQNTW12GoU2eQR+SPmbkG
                                                                                                  MD5:7A90EC5109E67E431CAF2FD55D41F82F
                                                                                                  SHA1:412F6A3E795502CD39F76FD51B138E06A081F146
                                                                                                  SHA-256:2FA77B33CCCE1B5412A9866ACB63B050F6F94485EF8AEC378BC82D02929A1001
                                                                                                  SHA-512:ACDBE23B0FA784EA5433A223AEA32CF1C86436F7C9F4E715A10B6A891B4D6B8CEAA943C26444B5813AFDB6C9C4DE6F43B81A632D74920373C0D802613DFD2ED0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........e.g...4...4...4.v.5...4.v.5m..4.v.5...4..4...4...4...4...4...4OZ.5...4.v.5...4..4...4..5...4..5...4..5...4.v.5...4...4...4...5...4...5...4..,4...4..D4...4...5...4Rich...4........PE..L....d.f...........!...&......... ..`....0... ...............................0.......7....@..........................(..X....&..@.... ...................(..$)..............................\.......|........................e......................UPX0..... ..............................UPX1.........0......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2582536
                                                                                                  Entropy (8bit):6.439872347245085
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:udu/wuTcE9m/juNV60UZ5TRo19aOpkSiCMS367JnuB0lSF:tI8cVjuPzUTTRo1MOpkSiCMS3CJnuB0k
                                                                                                  MD5:706ADB78B2036CCF714887D353416330
                                                                                                  SHA1:61235F81DA698DAACA1CC0DAF9E9C99DFF2AA02A
                                                                                                  SHA-256:923B3703B6857B5159EDEC8D752D607937B37BAC4BDFE25DDEEC7DC1A20E294B
                                                                                                  SHA-512:0988B4A5157F4484AC91DE2CA4191E63FED87CC1CA0F591464B9D887E24394420A1AE566552FC587E0042721FB0CCA3178B935CF127DE190F5C77186EB2EBB8C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K.................................................p.....................X..................a...........Rich...........................PE..L......f...............&............_.............@...........................'.......'...@.................................TY!......p"..............@'..(...p%..V...w..p....................x......0w..@...............4............................text...<........................... ..`.rdata..............................@..@.data.........!..j....!.............@....rsrc........p".......!.............@..@.reloc...V...p%..X....$.............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):300552
                                                                                                  Entropy (8bit):6.695330747460851
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:56NgLS1hsBLUbcyrCYKlW+GKQnyu1CHw0YHI0W5v:YgLGhsBobcyrOu1CHw0gW5v
                                                                                                  MD5:861875D4CD48D76E650270655C6E0B93
                                                                                                  SHA1:02007CB5E10BDD433EC0E754207BA04CB1C1D598
                                                                                                  SHA-256:41B65F25F5A5B9635D28D467C3E423CD533E239A641922326AE41F329A5B6BE5
                                                                                                  SHA-512:1109E26FB73C677492B79F0C1C1F3ADCCF11962A848497046BDE7AE35C20A5FC48F33F415D6D231E3867B279D80A0069347F1365BAC1AC5658F3E3A1ED8E6020
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H....._.._.._..^.._..^.._..^.._.J.^.._.J.^.._.J.^.._.._.._..^.._.._]._bJ.^.._bJ.^.._bJP_.._..8_.._bJ.^.._Rich.._................PE..L......f...........!...&............h...............................................nJ....@..........................;..$...4<..<....p..x............n...(.......!...(..p........................... (..@...............h............................text............................... ..`.rdata..............................@..@.data.... ...P.......:..............@....rsrc...x....p.......F..............@..@.reloc...!......."...L..............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):115208
                                                                                                  Entropy (8bit):7.877996118531337
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Ojw9KC9FNiaL9tfuTjyUDJ90sFAmUPDo0hbn+F2LyvwFOs/cYb:b9KC9FNbwl9+D7o+XmIFOh4
                                                                                                  MD5:6B82A354476FA7C56175EE060F08E2C9
                                                                                                  SHA1:D77566D72C6F1C796C2E8087A9BD04920455B138
                                                                                                  SHA-256:754C8D6C7C91B7620A7EE34665C28F0BE67686591E5B49A7E9B8C33BAEF6C37E
                                                                                                  SHA-512:E5241DCF50B4D6003FCF1FE14F8693CDE525CDF020E7CF7557B76AC954102722C7721BDE48DAE08A4524A12E611AF950588ADBEEBC95158901BCA6238CE2FA51
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[...5S..5S..5SDn.S..5SDn.S..5SDn.S..5S..0R..5S..1R..5S..6R..5S..5S..5S...S..5S..4S..5SY.<R..5SY.5R..5SY..S..5S..S..5SY.7R..5SRich..5S................PE..L...w..e...........!................P*.......0...............................@......:g....@.........................<6..(....5.......0...................(..d7.......................................,..............................................UPX0....................................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):733704
                                                                                                  Entropy (8bit):7.921389042280339
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:SEjmVTsQGgZp4zjWURE9b9Sh73+axBJIsPqTVzVpW6jg6sQNGh+rIY2eV0Vt3Cz8:SEjmpsdgZwjWUREN9o91kV5pWmNGhM/q
                                                                                                  MD5:C0B530DCB39BFFA1B2A64DCB9DCE67CC
                                                                                                  SHA1:FC80610E9876B750B5C71CDBA679610320C3DF49
                                                                                                  SHA-256:A4103499C3584F3D2274E8D81B1355312D7CCF2CA794C746915ADA79C12F0D7D
                                                                                                  SHA-512:1326AD4B4EE3920E21449A0367E5912605AEAAF5C692A9042FEEBD2E4B789408DE605A7154D2DCD8A038358A98457312403C7AD550B3CDA64ED9D3E81E23459C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........u...........A.&....A.$.V..A.%....k.......|.....|.....|..........Oa.....lD..........\}....\}....\}(......@....\}....Rich...................PE..L...w..e...........!..............(..3...(...3...............................3.....b.....@...........................3.d.....3.x.....3..................(..x.3.......................................3.............................................UPX0......(.............................UPX1..........(.....................@....rsrc.........3.....................@......................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\STRLOG\splashtop.bl

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3835
                                                                                                  Entropy (8bit):4.764498295481361
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:y7IqsbCST8eInWhT2YB9tds0xNqu72V3VcaM/g7QSEvqcAzOt6zS:y7IuxeeS9VjiMl6e
                                                                                                  MD5:D949C968DFD291B7D69CD9A65A1CBC8A
                                                                                                  SHA1:9FD25344A4E35BE5F6FCC3CBD346D9230820016F
                                                                                                  SHA-256:D166064C6FFADBD505076B633E10D5536739C3E68E4B48F6A396FD8299666E56
                                                                                                  SHA-512:68C26A66AEE424CFEAF9A5BADFA2592DA91C5B1BE65B69C60879255936413215BDA05D5633F69C7AAD2688A53A586BB54E3AC722E2DCE3BFAC034C4C1C4594B4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.svchost.exe..csrss.exe..SearchFilterHost.exe..SearchProtocolHost.exe..conhost.exe..winlogon.exe..SRServer.exe..SRService.exe..lsass.exe..services.exe..smss.exe..wininit.exe..lsm.exe..SSUService.exe..spoolsv.exe..SRFeature.exe..SearchIndexer.exe..WmiPrvSE.exe..mDNSResponder.exe..AppleMobileDeviceService.exe..nvvsvc.exe..DataProxy.exe..iPodService.exe..audiodg.exe..cmd.exe..spupnp.exe..WLIDSVC.EXE..WLIDSVCM.EXE..dllhost.exe..taskeng.exe..armsvc.exe..rundll32.exe..atieclxx.exe..atiesrxx.exe..ctfmon.exe..SeaPort.exe..nvxdsync.exe..MsMpEng.exe..nvSCPAPISvr.exe..wlanext.exe..LMS.exe..ccsvchst.exe..UNS.exe..mscorsvw.exe..msiexec.exe..iTunesHelper.exe..LSSrvc.exe..btwdins.exe..LogonUI.exe..TrustedInstaller.exe..avgwdsvc.exe..jusched.exe..unsecapp.exe..IAStorDataMgrSvc.exe..PnkBstrA.exe..AVGIDSAgent.exe..GoogleUpdate.exe..AvastSvc.exe..RTHDCPL.exe..sqlwriter.exe..IAANTmon.exe..avgcsrva.exe..mdm.exe..igfxsrvc.exe..Ati2evxx.exe..ZhuDongFangYu.exe..VSSVC.exe..wisptis.exe..hpqWmiEx.exe..avgcsrvx

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):326664
                                                                                                  Entropy (8bit):6.273611352763876
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:gpWGtJblMMuWntMAHeVQHe3lPpAyQ4L/8mJEDJnMihRD+ae7/lXCU:tGtJblMMuWntyxOyQ4LkIyxypCU
                                                                                                  MD5:D2A501F07C9F9373F11CC89FB2D49D8C
                                                                                                  SHA1:37EAADAF61D2CBE697F1C454640F9E04F4CD2D16
                                                                                                  SHA-256:A25A7C80A4BD007248306E02FBC10436885C64CC70A40433143BC82C641D3480
                                                                                                  SHA-512:B20727B34287D5877D94963B08F520E586C2A66A39631C768CF2F6ACA31959DFB2711C8043E71DA4FA8A00DF039E886D30B0D7DC2E85FEFC68E99761F3945B54
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..............].......j.......j.......j...............j.......j.......j...............j......Rich....................PE..d......e.........." ................<........................................@............@..........................................p..w....^....... ...........6.......(...0...... ...................................................(............................text...>~.......................... ..`.rdata..G...........................@..@.data....[.......&...f..............@....pdata...6.......8..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):263688
                                                                                                  Entropy (8bit):6.578168733069161
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:rP7UBxcJ1Puvfk+GTVGUtO9EU5dem+b0sInsLwcQRelNXkd6X0ThhYibRYI:DhmE+YQY4/eHw5ew8N0A2Xbh
                                                                                                  MD5:F276DD195D935138FA1EDA9C522CD62C
                                                                                                  SHA1:67508C991FAE8F6A503B7997D96CE4BB7AF559CA
                                                                                                  SHA-256:3E4FF68E9E2E312A9DDCD249F9BC2782103452E64CF6DF2914EF989006DD6EFA
                                                                                                  SHA-512:F3E2C301A7091D04F0D17BCDDC2BB0057366FE7089564966FE2EFD56ABD381190B01672DB6E6C7330E553382D38D7FEFDB644F1DF9F28B85714F52F695D812AE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l.._(..(..(..../.)..!.,.2..!.:....!.*.3..(..!..!.=.t..!.+.)..!.-.)..(...)..!.(.)..Rich(..................PE..L...%..e...........!................+........................................@............@.............................w....~...........................(......X$...................................O..@............................................text............................... ..`.rdata..W~..........................@..@.data....K...........z..............@....rsrc...............................@..@.reloc...@.......B..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_provider.man

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4448
                                                                                                  Entropy (8bit):3.463053305093135
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:NZ9Y9R9iY+Al8/ky6V9R9iYsrAl8/k5v+sv:0bMAl8j6vbirAl8mv+y
                                                                                                  MD5:20D8473FB148C4ADA5878B313BC776AF
                                                                                                  SHA1:1C88D93AED07AF5753D5CADE1BBA2EC1A69C81A8
                                                                                                  SHA-256:FAFFFA0C014BF46A71E323FC4275A5A9004FF90B474B1B7A30D5728FA81D3568
                                                                                                  SHA-512:5E6AD6B5F040C927685FB4BF4A83149DCDDB22F8A1BD5ECFF5B6E69ECAB80FA7DDAACFA4FA7EB35D9723F4CF364B96D61482FA805F5B6595AEDF064C3C099C2B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t..... . . . .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.w.i.n.=.".h.t.t.p.:././.m.a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s."..... . . . .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.".>..... . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .<.e.v.e.n.t.s.>......... . . . . . .<.p.r.o.v.i.d.e.r..... . . . . . . . . . .s.y.m.b.o.l.=.".P.r.o.v.i.d.e.r._.S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r._.S.t.a.t.u.s."..... . . . . . . . . . .n.a.m.e.=.".S.p.l.a.s.h.t.o.p.-.S.p.l.a.s.h.t.o.p. .S.t.r.e.a.m.e.r.-.S.t.a.t.u.s."..... . . . . . . . . . .m.e.s.s.a.g.e.=.".$.(.s.t.r.i.n.g...P.r.o.v.i.d.e.r...S.p.l.a.s.h.t.o.p.S.t.r.e.a.m.e.r._.S.t.a.t.u.s.)."..... . . . . . . . . . .g.u.i.d.=.".{.6.6.

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28160
                                                                                                  Entropy (8bit):3.7217591844595956
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/xr44ok0H+Re/1EPaTHV8GzXlGmYOom+rt12xROVSjfCKm/kIKz0+rIOsJ:/24ok0H+Re/1EPaiI1Y4O6Sv+q
                                                                                                  MD5:29F288F751FBCEA5CD75EA9774882787
                                                                                                  SHA1:5A4C30382C63E29E848B681D39CC213C2198E12E
                                                                                                  SHA-256:711702EB24803788CE601996F90B7EF57EEF1F764F7AAF3A96E2196ED4A9533E
                                                                                                  SHA-512:B7FC0A739B33E79232EF506393CF90297F4D41F165F34B5BE50648D8A1967419E1F0EE369E809D5C142898824E8B5A3784106D33A2D1D72CD811D5352F4BBD60
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.<...R...R...R.......R...P...R.Rich..R.PE..d....._.........." .........l............................................................`.......................................................... ...h...........................................................................................................rdata..p...........................@..@.rsrc....h... ...j..................@..@......_........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....!...g...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28160
                                                                                                  Entropy (8bit):3.7214568392805565
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:xXxr44ok0H+Re/1EPaTHV8GzXlGmYOom+rt12xROVSjfCKm/kIKz0+rIOsJ:xX24ok0H+Re/1EPaiI1Y4O6Sv+q
                                                                                                  MD5:BE32CA6CD3810D278DC07C2D67FA5A44
                                                                                                  SHA1:63C47D24563F3E19BADE1482BA91D57542736C6C
                                                                                                  SHA-256:2F28F5D4952FD4430568AFCCE023C4885B47BF7C705950B252555C7D92EEFB72
                                                                                                  SHA-512:C21FF9E2116F0C469642C47B85E6D36970344F6C929B018DB6BED88FEFB54AA9C82EDDA1F9123F1B493E9046DE2B46C44C62900967752110EA056B54CEB56E85
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......E.<...R...R...R.......R...P...R.Rich..R.................PE..L....._...........!.........l............................................................@.......................................... ...h...........................................................................................................rdata..p...........................@..@.rsrc....h... ...j..................@..@......_........T........................rdata......T....rdata$zzzdbg.... .......rsrc$01.....!...g...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1458184
                                                                                                  Entropy (8bit):6.608368260050606
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:3u1d1TlM6S5+KpPH2+68gJ4dxM3GsFa8cihBUbo0h3yT26:3ub1T2B/+J4jMWsFa8cJbo0h3x6
                                                                                                  MD5:86FB762B6F48E0F579D8E1C20D829E5C
                                                                                                  SHA1:35643C93BAF6F1A0DC2607C2F65D339DD149FE71
                                                                                                  SHA-256:1837087E75DE428C18ACEC7F2EF7576752396A3A1EF15450230734E9EE194B28
                                                                                                  SHA-512:A0A53F0C256DD1ED0FA512E11A4AB936BD829B22E37C422194144CF022192B2C7157A4220BAD2ABF45CA6FF44FA3E954BE57147E57CB869D1E53399F5895FB13
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..N...N...N...N...N.....N......N......N....~.N......N...O...N....9.N......N......N......N.Rich..N.................PE..L......e............................Ku.......0....@.................................(.....@..............................................................(...........5..............................pb..@............0..............................text............................... ..`.rdata..@....0......................@..@.data... ........j..................@....rsrc................&..............@..@.reloc..F,..........................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1721576
                                                                                                  Entropy (8bit):7.978334410477683
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:oU4MsColC6Je/ZgY7OOfcEpiRLH87SyVXGe38uKUj+NFVov1PJLfVKZ8F5mEeZWF:BFCsfZRZA6Xn388avVovfLd+Mo4iEF
                                                                                                  MD5:4DA5DA193E0E4F86F6F8FD43EF25329A
                                                                                                  SHA1:68A44D37FF535A2C454F2440E1429833A1C6D810
                                                                                                  SHA-256:18487B4FF94EDCCC98ED59D9FCA662D4A1331C5F1E14DF8DB3093256DD9F1C3E
                                                                                                  SHA-512:B3D73ED5E45D6F2908B2F3086390DD28C1631E298756CEE9BDF26B185F0B77D1B8C03AD55E0495DBA982C5BED4A03337B130C76F7112F3E19821127D2CF36853
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........t.v...%...%...%.m+%...%.m:%...%...% ..%.m-%...%.m=%...%.m,%...%.m7%...%...%...%.m*%...%.m/%...%Rich...%........................PE..d.....[J.........." .........0............................................................@.........................................`................p..l!...`..,....,...............................................................................................text...L........................... ..`.data....J..........................@....pdata..,....`......................@..@.rsrc...l!...p..."..................@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15072
                                                                                                  Entropy (8bit):5.857603927715577
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yJaZmN9l0HNbsphoCqpQATeZjMcnYe+PjPGr9ZCApkT1rrZgjlerpLF+vctrie:kaZM0HlGOpQMejxnYPL/p1P6jeL3b
                                                                                                  MD5:3CDAE3B3A3AE968DB4756613EEFF3680
                                                                                                  SHA1:FF474C2D8A83BD5AF0A6B6CA954004D86BCF6FCA
                                                                                                  SHA-256:8DC9051BC452639550EC4F956F1DBBAC2D2A1886868C17743A3E4BE22297E166
                                                                                                  SHA-512:50E01496A3F891AC4BB455092427A4549406EAED44A292D415B8B42DF5FF72D1352EA6FCC66B2A11151AB9AE6590158753CC28E78F2DAC7FEBD5F6B8B4908126
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'N.OF .OF .OF .OF!.JF .F>..JF .F>..LF .F>..KF .F>..NF .F>..NF .F>..NF .RichOF .........................PE..d.....#Q.........."..................a......................................................................................................<a..<....p..x....@..l...................@ ............................................... ..8............................text............................... ..h.rdata....... ......................@..H.data........0......................@....pdata..l....@......................@..HPAGE.........P...................... ..`INIT....*....`...................... ....rsrc...x....p......................@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21216
                                                                                                  Entropy (8bit):6.105547248727277
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Zfhpq1BKeL/JQyyo0Y0HgWjkRtPzjn4nYPL/p1P6jeL3fq4:hhpq1BK8/JMYChMxXn4umiP
                                                                                                  MD5:A10A6FC3F643F82777345ADDC182799A
                                                                                                  SHA1:015BDFF614CD475C119C9CDC25950E8226930584
                                                                                                  SHA-256:8D09A7643A0095A0077710423E7D8D7134F9197B6F73DA427333790BA3774A61
                                                                                                  SHA-512:5D2D6FDCCB9A99F95467E734AC83C77162D5D4509248A4BFDCE493BDD9D140220416095E0F75DDAB50071850FC0892CED2835336D1C42F4A3AC87F0D66C41ED8
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'F.SF(.SF(.SF(.Z>..PF(.SF).AF(.Z>..VF(.Z>..PF(.Z>..PF(.Z>..RF(.Z>..RF(.Z>..RF(.RichSF(.........PE..d.....#Q.........."..........&..............................................................................................................`...<.......@....`.. ....6...............0...............................................0...............................text............................... ..h.rdata..L....0......................@..H.data........@......................@....pdata.. ....`.......$..............@..HPAGE....x....p.......&.............. ..`INIT.................*.............. ....rsrc...@...........................@..B.reloc..<............4..............@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1461992
                                                                                                  Entropy (8bit):7.976326629681077
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:GjG90oN2lj11mk/22yYzGrarZRm4X5Uh6rVh5LdfBwOyCSQM1fFhSWRA2+:iGtN2h1120R7m4XShYVxfBwrC21fXSz
                                                                                                  MD5:A9970042BE512C7981B36E689C5F3F9F
                                                                                                  SHA1:B0BA0DE22ADE0EE5324EAA82E179F41D2C67B63E
                                                                                                  SHA-256:7A6BF1F950684381205C717A51AF2D9C81B203CB1F3DB0006A4602E2DF675C77
                                                                                                  SHA-512:8377049F0AAEF7FFCB86D40E22CE8AA16E24CAD78DA1FB9B24EDFBC7561E3D4FD220D19414FA06964692C54E5CBC47EC87B1F3E2E63440C6986CB985A65CE27D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.B...B...B...Kd1.E...B.......Kd7.Q...Kd .M...Kd6.C...Kd'.....e...C...Kd0.C...Kd5.C...RichB...........PE..L.....[J...........!.........N......C................................................S....@..........................................P...<...........6..................................................@............................................text............................... ..`.data....G..........................@....rsrc....<...P...>..................@..@.reloc...............*..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13024
                                                                                                  Entropy (8bit):5.821753253165571
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:hjJQAzeZjMpnYe+PjPGr9ZCApkT1rrZgjlerpLF+vctrMYPT:RJQUejknYPL/p1P6jeL32Y7
                                                                                                  MD5:C57099F9A63D144A9CDC103D2C42A6AC
                                                                                                  SHA1:F2AA1DBAC145BDA82DEDB69CA969EF4D0831C3DD
                                                                                                  SHA-256:D8390287A8865769BB50B0B83E7E7FC56B055BFC48D3513146CDB8D3954338BE
                                                                                                  SHA-512:18AB1AB0D233AEAAB786A28AEF766AAD9C683859628AEE94527C426DE7F63171345CAB4ECF96C54F19C93DF5E637A4D845C2487049DE161E19229F6253C775E4
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................................................Rich............................PE..L.....#Q.............................P....... ......................................r........................................P..<....`..x....................p..8... ............................................... .. ............................text............................... ..h.rdata....... ......................@..H.data........0......................@...PAGE....#....@...................... ..`INIT.........P...................... ....rsrc...x....`......................@..B.reloc..j....p......................@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\install_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):224
                                                                                                  Entropy (8bit):4.711399671949434
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dCiIc+JIIbdCiIevKIIlfRcGIIbdELVKT7:kidCicjdCiMt/jdx7
                                                                                                  MD5:001B12FA9D827E2A53675F4FFC5D68D8
                                                                                                  SHA1:0D1221A35F3FEF1B8B0B38E835BFB8F35357D3AB
                                                                                                  SHA-256:2C6E538B58C32DFFC7E3ED85175A2F5D08C5AA3FA68EE05207DB6A015D778DD1
                                                                                                  SHA-512:E85BAD69B1F36D36B96A03713B885FDDC485E7DA5A5FA4B07F5AFD7264BC9989F4AEA14822588F3921EFF4C6C5E7D2737CD382866A089DA8F4A19CAF69BC3FF3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove @HID\sthid* >> inst.log..utils\devcon.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd.exe /u sthid.inf >> inst.log..utils\devcon.exe install sthid.inf HID\sthid >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\install_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):232
                                                                                                  Entropy (8bit):4.799817305367961
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:/Ajs/dRLPIc+JIIbdRLPIevKIIlBRcGIIbdRL6VKT7:kiddcjddMr/jdD7
                                                                                                  MD5:4D969376976863ABA27CCF817EB97219
                                                                                                  SHA1:F65EA3234AFC4741F48AF51EE83280520969BF5A
                                                                                                  SHA-256:C62D9158C0807D0EE3225E13BAD307199AF61DF1659ADCA91E1361865C325EEE
                                                                                                  SHA-512:88F38ED5AD7FECDE209782D1111C142BE63AE54D73A71E737BEBC0FB1498D7988AC9EC0173DEF5F6E0A17192A5F802145E69BFDA606B253AFBFE23B5058A7413
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove @HID\sthid* >> inst.log..utils\devcon64.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd64.exe /u sthid.inf >> inst.log..utils\devcon64.exe install sthid.inf HID\sthid >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.cat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11968
                                                                                                  Entropy (8bit):7.0656302139179195
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:5eMsGsZrVjbd/22z0yK2zFWQFyGZh4qnajA3vKkCTglckNVa:HsGsZr5pRpFRj0lo3CXkNk
                                                                                                  MD5:50BD9CFE7F724B3001FC833FF3FC284D
                                                                                                  SHA1:5A2D4C52C87170AFAE9F3F4DC75A81A046FF3EEB
                                                                                                  SHA-256:C7AE67C9A0669F2798ECA4452552F8F4919E2FB6D117ED290AC3F64966ECEEE0
                                                                                                  SHA-512:52CC8930BAC7CBE7AF9C2B64D8A3BCF874D76DDFA21691B3B47E4B5BE938BF42D1D0BF0B6BFA3EEEC61D81328B41FB608AC8DA5F278BF06C1AB294B0055FB3FF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:0.....*.H..........0......1.0...`.H.e......0..X..+.....7.....I0..E0...+.....7......C....G.|J].q.z..130223030803Z0...+.....7.....0...0.....c.....I..x.....c...1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0.... . q&H.Hv4;.s....N....uB^...@_.%1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...0R..+.....7...1D0B...F.i.l.e.......0w.d.f.c.o.i.n.s.t.a.l.l.e.r.0.1.0.0.9...d.l.l...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... . q&H.Hv4;.s....N....uB^...@_.%0.....o..5....,.SV..\....1~0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...06..+.....7...1(0&...F.i.l.e........s.t.h.i.d...i.n.f...0.... (..~......&vHk_..4U..:.Tu="|:H.1..0...+.....7...1...02..+.....7...1$0"...O.S.A.t.t.r........2.:.6...2...06..+.....7...1(0&...F.i.l.e........s.t.h.i.d...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... (..~......&

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.inf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4350
                                                                                                  Entropy (8bit):5.269640657392187
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:BmLnkrr4fzkQCmlCDHCMmDtu6KgbNHYFMDO:BmLny0fzkklCmBtu4NHBDO
                                                                                                  MD5:6580EDB5B8713F3BFD3DF983758A4EA3
                                                                                                  SHA1:1E6FC7E435A3C3E20E2CFF5356DED95CF0C7D0EB
                                                                                                  SHA-256:815FBD6C3BFAE5EA77ED77480FAAC1AFAE946D4BF109B95480C60030A83AE1B1
                                                                                                  SHA-512:EA332A77DBDCC2184B2154EF496DAE4C663075447EC4ACF61E83A5AAACCF702E2F0E0F6D7F91E4499993A9B9D7C3A9A21C495EEAD606E2F5EB5F4DF272A86928
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:[Version]..Signature="$CHICAGO$"..Class=HIDClass..ClassGuid={745a17a0-74d3-11d0-b6fe-00a0c90f57da}..Provider=%splashtop%..DriverVer=02/18/2013,1.0.0.5..CatalogFile=sthid.cat....[SourceDisksFiles]..sthid.sys = 99..hidkmdf.sys = 99....[SourceDisksNames]..99 = %DISK_NAME%,,,""....[SourceDisksNames.AMD64]..99 = %DISK_NAME%,,,\64bits....[DestinationDirs]..CopyFunctionDriver = 12 ....[Manufacturer]..%splashtop%=Vendor, NTx86, NTx86.6.1, NTAMD64, NTAMD64.6.1....; For XP and later..[Vendor.NTx86]..%splashtop.DeviceDesc% = sthid.Inst, HID\StHid....[Vendor.NTAMD64]..%splashtop.DeviceDesc% = sthid.Inst, HID\StHid....; For Win7 and later so that we can use inbox HID-KMDF mapper..[Vendor.NTx86.6.1]..%splashtop.DeviceDesc% = sthid.Inst.Win7, HID\StHid....[Vendor.NTAMD64.6.1]..%splashtop.DeviceDesc% = sthid.Inst.Win7, HID\StHid....;===============================================================..; sthid for XP thru Vista..;===========================================================

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18144
                                                                                                  Entropy (8bit):6.199619066707982
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:D+CpJmsGTJgbzPvaen0XUqcZzpV1DzjBnYPL/p1P6jeL3CX:B85e4+zpbXBumPX
                                                                                                  MD5:5904635A7888083EBB86C3A1218CB59B
                                                                                                  SHA1:69540333726CEF1EABD5B75D56822B36F9065840
                                                                                                  SHA-256:00648146272AF74EF5B1E74E83F58280FA1CC403621941AB3CB4E731756289F7
                                                                                                  SHA-512:56B936EFBD05D0906577754334D9B1A562AE0AD25574E22149C6BD97950FD73809A4EF1542D4D7CAA4E5B81DF53975FDB1D57381232F9B8D17A463F1E1A81859
                                                                                                  Malicious:true
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Q...Q...Q...X...R...Q...D...X...V...X...S...X...P...X...P...RichQ...........PE..L.....#Q............................v........ ..............................................................................<P..P....`..@............*.......p..t...` ............................................... ..`............................text... ........................... ..h.rdata....... ......................@..H.data...`....0......................@...PAGE....t....@...................... ..`INIT.........P...................... ....rsrc...@....`....... ..............@..B.reloc.......p.......&..............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):164
                                                                                                  Entropy (8bit):4.75247427731045
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:jTDVBF+jVy/d/KiIKTAFshseJDo7EIbd/KiIKTA8vXto7EIl2YR41NDoC:/Ajs/dCiIc+JIIbdCiIevKIIlfRcGC
                                                                                                  MD5:6E5A084690CBEDCB4F74C1C365F2048E
                                                                                                  SHA1:379AF77A9066EE1EFEA1C17A21CF1C0AD7BF17FD
                                                                                                  SHA-256:F67BFB651037E84F5AE6965B5511FA1B9BD2C819B034A8284462AF01C0E0148F
                                                                                                  SHA-512:1ED233EF2BB513DCB9F3610AC36BBEB07259EAC7BA6F96E596B111C137F6B1BB35E1200ECAB3914925C6CCB80CD3A74ACEB40FA3775300151D34C7AB9C47A84F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon.exe /r remove @HID\sthid* >> inst.log..utils\devcon.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd.exe /u sthid.inf >> inst.log

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver64.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):172
                                                                                                  Entropy (8bit):4.845091480099467
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:jTDVBF+jVy/dRLX/IKTAFshseJDo7EIbdRLX/IKTA8vXto7EIl3xR41NDo7n:/Ajs/dRLPIc+JIIbdRLPIevKIIlBRcG7
                                                                                                  MD5:C949FE57CE36D8C5FF18AD66A5C83138
                                                                                                  SHA1:BE891CE4AF8434FB3A439F7F0CB9EC3E17BDB99A
                                                                                                  SHA-256:8A5E292037FFC57F78E8C8D8AE945C319A41FABEB2112099BA3FFD9D08D4C1AA
                                                                                                  SHA-512:5F22FB7C586852EF5EDB8A28250B4BAA2194FE7599E1EF0733554E512ADCC7326D625F67CACD21C06A3B9A8B43AAF7B8E23D1C529FCC1B36D3E983AF5384FC4B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:echo off..cd %~dp0..utils\devcon64.exe /r remove @HID\sthid* >> inst.log..utils\devcon64.exe /r remove HID\sthid >> inst.log..utils\DIFxCmd64.exe /u sthid.inf >> inst.log..

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9728
                                                                                                  Entropy (8bit):4.7653420469834185
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:F+0YcUgZN/zSbTyB9Bs+VC+k5JEdVMNuE:F+oUgZN/zSbTysOC+k5MVs
                                                                                                  MD5:1EF7574BC4D8B6034935D99AD884F15B
                                                                                                  SHA1:110709AB33F893737F4B0567F9495AC60C37667C
                                                                                                  SHA-256:0814AAD232C96A4661081E570CF1D9C5F09A8572CFD8E9B5D3EAD0FA0F5CA271
                                                                                                  SHA-512:947C306A3A1EEC7FCE29EAA9B8D4B5E00FD0918FE9D7A25E262D621FB3EE829D5F4829949E766A660E990D1AC14F87E13E5DBD5F7C8252AE9B2DC82E2762FB73
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jp.....V...V...V.ivV...V.igV...V.iaV...V...V&..V.iqV...V.icV...VRich...V........PE..L....zZP.............................#.......0...............................P............@...... ..........................d(..P............................@..l.......................................@............................................text............................... ..`.data...x....0......."..............@....reloc.......@.......$..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10752
                                                                                                  Entropy (8bit):4.547294400796419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:yg/LSSz/NZS+cI818WJ6TPPeqj6wnzX/bHz3coD:yg/LSSz/NZSBITOg6+D/X
                                                                                                  MD5:F512536173E386121B3EBD22AAC41A4E
                                                                                                  SHA1:74AE133215345BEAEBB7A95F969F34A40DDA922A
                                                                                                  SHA-256:A993872AD05F33CB49543C00DFCA036B32957D2BD09AAA9DAFE33B934B7A3E4A
                                                                                                  SHA-512:1EFA432EF2D61A6F7E7FC3606C5C982F1B95EABC4912EA622D533D540DDCA1A340F8A5F4652AF62A9EFC112CA82D4334E74DECF6DDBC88B0BD191060C08A63B9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................................................................Rich....................PE..d....vZP.........."...... ..........(%.......................................`.......`....@.......... ......................................4+..P............@...............P......p...................................................8............................text............ .................. ..`.data........0.......$..............@....pdata.......@.......&..............@..@.reloc..8....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidNotSupport.reg

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows Registry little-endian text (Win2K or above)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):288
                                                                                                  Entropy (8bit):3.654691319611147
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAG+DZeMV4GGMVQIwchhyR12qv:Qy5hVZteAxDZBuGp/hUp
                                                                                                  MD5:AFB11B8A638A36856B635F9805BEC627
                                                                                                  SHA1:29E88479691D922698D1DAEC3F06EFD438CB90F1
                                                                                                  SHA-256:908EF8C0EEE73EFFAE7CA6AAEF29387302B1D69AEBE5EA587DEE7F1589F418D6
                                                                                                  SHA-512:1C929F635DF273BF7843A433C461761374E3CE8B2A41C479E2AA9B6A27F4CEF5CE78BAE8902EE99673E33E9E165333A1A4C09D8503F259809F282E6B4A15EBA9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.S.p.l.a.s.h.t.o.p. .I.n.c...\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r.].....".S.t.H.i.d.S.u.p.p.o.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.0.........

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidSupport.reg

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Windows Registry little-endian text (Win2K or above)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):288
                                                                                                  Entropy (8bit):3.6709758888329973
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:Qyk+SkWCiiCRroZ6IJlUAG+DZeMV4GGMVQIwchhyR12q8:Qy5hVZteAxDZBuGp/hU2
                                                                                                  MD5:4F4EC6847BC91FCFAC8BFE7840649CCE
                                                                                                  SHA1:642FB6860473391D28E1DC407A81B3829D048AFC
                                                                                                  SHA-256:CC4837A65AE43EDF3AA3FD2C77912A881694C43EE203A127CE27641455AC7AD3
                                                                                                  SHA-512:C896A60395237BED708C79CDBFF2FE9685E8B42A140EF96C2352559128B7700DFF8CA7267261A9EB5143583F296D0498C811E092516408B5500CC75DA8409C44
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..W.i.n.d.o.w.s. .R.e.g.i.s.t.r.y. .E.d.i.t.o.r. .V.e.r.s.i.o.n. .5...0.0.........[.H.K.E.Y._.L.O.C.A.L._.M.A.C.H.I.N.E.\.S.O.F.T.W.A.R.E.\.S.p.l.a.s.h.t.o.p. .I.n.c...\.S.p.l.a.s.h.t.o.p. .R.e.m.o.t.e. .S.e.r.v.e.r.].....".S.t.H.i.d.S.u.p.p.o.r.t.".=.d.w.o.r.d.:.0.0.0.0.0.0.0.1.........

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):77824
                                                                                                  Entropy (8bit):4.995224286140262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:3zrhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkA:3+KY04RMmSCYmBiF4O7WT
                                                                                                  MD5:B40FE65431B18A52E6452279B88954AF
                                                                                                  SHA1:C25DE80F00014E129FF290BF84DDF25A23FDFC30
                                                                                                  SHA-256:800E396BE60133B5AB7881872A73936E24CBEBD7A7953CEE1479F077FFCF745E
                                                                                                  SHA-512:E58CF187FD71E6F1F5CF7EAC347A2682E77BC9A88A64E79A59E1A480CAC20B46AD8D0F947DD2CB2840A2E0BB6D3C754F8F26FCF2D55B550EEA4F5D7E57A4D91D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P............@...... ..........................lm..........p....................@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):81920
                                                                                                  Entropy (8bit):4.977706172799676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:MP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7W:MePOYe4bu1epDh8RW
                                                                                                  MD5:3904D0698962E09DA946046020CBCB17
                                                                                                  SHA1:EDAE098E7E8452CA6C125CF6362DDA3F4D78F0AE
                                                                                                  SHA-256:A51E25ACC489948B31B1384E1DC29518D19B421D6BC0CED90587128899275289
                                                                                                  SHA-512:C24AB680981D8D6DB042B52B7B5C5E92078DF83650CAD798874FC09CE8C8A25462E1B69340083F4BCAD20D67068668ABCFA8097E549CFA5AD4F1EE6A235D6EEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......|.....@.......... ......................................X}..........p.......T............`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):207368
                                                                                                  Entropy (8bit):6.378808548088601
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:MGvbxQU5LtKgqNkNG7MJWl8k0XbTqShbC4bNz3T0pqKJ:FLsglJNh1bNz3T0p1J
                                                                                                  MD5:A105E10AB81079B7700356131D2D0161
                                                                                                  SHA1:3954BF9B1A169D1BD93CA36181DB074786442A73
                                                                                                  SHA-256:70D0E42A6A3BCC049EDD3EA5470005F580CFF6A2253699A9F437F04C1EBE349F
                                                                                                  SHA-512:B5682189597DCD5E3843D640DA3230711EA33FBD907EF1D79D7E3B3985BEA6AEA48BF5EF4FCE93D89459B00EBBDD428CC049D950602F4027823DDBBEDE2A89C7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......E.Zj..49..49..49..78..49..18..49&LI9..49..49$.49..k9..49..9..49..08..49..78..49..181.49..08..49..58..49..59..49o.=8..49o..9..49...9..49o.68..49Rich..49........................PE..L......f...............&.....t....................@..........................@.......a....@..........................................P..p................(... ..P.......p...............................@............................................text............................... ..`.rdata...{.......|..................@..@.data...P....0......................@....rsrc...p....P.......$..............@..@.reloc..P.... ......................@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):198608
                                                                                                  Entropy (8bit):6.465406905232138
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:mNvlfI7fn3+ksrtRYs5BZdHEsTznNZQtiF22W9bKReKn:+fMnuhrrYszTjTQtiF22WKl
                                                                                                  MD5:B51CB7BD99774F42D4FCD81522E159DA
                                                                                                  SHA1:815646C93E09F0DB23951F3D8CD7319240CDBD43
                                                                                                  SHA-256:55C8BEEBC29238A691AF1FDF44D922BDAC9B47034956311A9D467374049462C2
                                                                                                  SHA-512:3375489BC03A442775FB02C5AB1D264FF2A972A805179B9F860D1FF26F09E529DCF7D03EA18CF3D56FC1DD429423C344CBFC4B89F20158D84896AA257240796A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........f.............+......(......-......).......`...p_....>......?.5....?.,....?./....?.*....Rich...........PE..L......R...........!......... ......!........................................0......m8....@.........................pa..o9..8R..P................................"......8...............................@...............h............................text...F........................... ..`.rdata.............................@..@.data....8.......4..................@....rsrc...............................@..@.reloc...7.......8..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):561584
                                                                                                  Entropy (8bit):6.5335413043485335
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:n+Uac7b2syTCmCZ9z7I6KxOYDkHlTiO+k86hiCivi:+UacGbC7bYgHlTi6eo
                                                                                                  MD5:A9A9D31764B50858A01B1FB228406F06
                                                                                                  SHA1:7A313C46F049287045992F54F9D6EDA9DB568EF8
                                                                                                  SHA-256:C0BABD7670124BB298D3BA6A8EE5AE33AD1030C08A18D8B8861F5D83003EB645
                                                                                                  SHA-512:164D5497AA91A5B4742A291F589400BC0B189AF946615A2F04E6CFD1ED598A542F7521E4DD79AAB99414846A3C391255309F911C247EF446A0483D9FAB6EFDFC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................h......._(`........................................V....V......V......Rich....................PE..L...9..X.........."!.....X...h......-T.......p......................................}/....@.............................`6...D..P....................z..................................................@............p...............................text....W.......X.................. ..`.rdata.......p.......\..............@..@.data...TT...P.......<..............@....gfids...............H..............@..@.reloc...........0...J..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1077592
                                                                                                  Entropy (8bit):6.435239338734592
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:n7PeeMxAg8KA6EhyC/H488sCGF8MBo9Bi8sROlu4VWKl6sEPdf8/2RYv:cxNEhyC/H488sLqMDIlu4Nl6suK2Re
                                                                                                  MD5:EEDA10135EDE6EDB5C85DF3BD878E557
                                                                                                  SHA1:8A1059DFD641269945E7A2710B684881BB63E8D2
                                                                                                  SHA-256:4B890DE3708716D81C1C719B498734339D417E8FFC4955D81483D1EBC0F84697
                                                                                                  SHA-512:A56BFC73537E36EFBA8E09FFD0B2F6BFC56BC4CB4FE90B52858C7AFD5D67DB23CCBA51C8097BEFE4ECB5082BA66C2B2612E2975EF3448252C48B97F41D12D591
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^1...P...P...P..!z=..P..!z<..P.......P...P...P.......P.......P......!P......qP..=...<P.......P.......P..Rich.P..........................PE..L...8d#I...........!.....>..........a........P...........................................@..........................6..c....)..<.... ...............V..X....0..........................................@....................)..`....................text...s<.......>.................. ..`.data...d....P...H...B..............@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.cnf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):592
                                                                                                  Entropy (8bit):5.220610311013542
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:oOtKAD4cL4jVpfWBzX2TShiucyfQ3W+/07T1raW1ijTofkVge1O0lgxErqM6n:ocKVg30ucSw07TNa97VgQ6erJ6
                                                                                                  MD5:E077993E994D28BBC7502681280C5551
                                                                                                  SHA1:9C3B360F9E81CCF8C8B56BE25E4CE9D67D1F61B4
                                                                                                  SHA-256:B8D539255FB1EA42EE3B06F0E314B037E35701E2B258272889D866DD3419526B
                                                                                                  SHA-512:B2FED3539BD94999F9F9A2CFEBAC6A3632212C10F3D97A5129E444FC548D1685877D0810790B71D342A4EF9080D1EFC73BF7A9493B5CCBD93232231EE2251ABE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:config_diagnostics = 1..openssl_conf = openssl_init....[openssl_init]..providers = provider_sect....[provider_sect]..fips = fips_sect..base = base_sect....[fips_sect]..activate = 1..install-version = 1..conditional-errors = 1..security-checks = 1..module-mac = 73:FF:87:A3:02:5E:E0:EE:AC:F3:E0:B1:9C:93:CB:FD:3D:05:93:39:98:A8:41:A4:EA:76:82:17:3B:38:E8:86..install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11..install-status = INSTALL_SELF_TEST_KATS_RUN....[base_sect]..activate = 1....[algorithm_sect]..default_properties = fips=yes

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):697352
                                                                                                  Entropy (8bit):7.893951271183897
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:OB44g9qIIyg5RJbw/L5zQZVaOwZdTGJ5zk1m5GFsXvHOg9wlU7:OB44lIIygZb8L5zQyXZRdi2apwlU7
                                                                                                  MD5:68D8D459EE6A5027FFE35302B21D66FA
                                                                                                  SHA1:91299E1FF75B293A18105FBDFCB2CDE92A6C8507
                                                                                                  SHA-256:0EF5739FCC3850411E1DB6AF2E194E25C7E473BB950A387A7C851FE02660B4E8
                                                                                                  SHA-512:C032E6C057DA58374FF51B50B2146E4B27EB6A18A452668EB2C78E3F4E729399F303873A2DC40F5910826A4F23146DFB851B62DF3D5948A9039EC6ED23E53B32
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........3...`...`...`..a...`..a...`..a...`...a...`...a...`...a...`..a...`...`..`...`...`...a...`...a...`..j`...`...a...`Rich...`........................PE..L...K..e...........!...&.....................0...............................@....... ....@..........................4..P....3.......0...............|...(...4......................................................................................UPX0....................................UPX1.............r..................@....rsrc........0.......v..............@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.cnf

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):168
                                                                                                  Entropy (8bit):4.40567624896974
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ekfDaZOtK1FA1Jn4R7mvLvn4RYVXKCw/AFLr+TmNfOmZyJn:xiOtKADn4NmvDn42oCQG3+TJn
                                                                                                  MD5:A43B7D72B482D48804B377D8832C2693
                                                                                                  SHA1:B1598EFDA8E9863F520ABEF9AAA942C313C002FD
                                                                                                  SHA-256:9ACDE3809E2C02FE5D6C59153AEFFFE6628996EC5CFB7C2385865DCD1EC8BE7E
                                                                                                  SHA-512:F0777A8F79E70F8A12F531C3E77F5241E9ED46ACC6A1CBF06FF7A29D91EE281E4CD2A9C1832642992FE74D33B052670F85439E5925FDB7C44DE60014E53712DA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:config_diagnostics = 1..openssl_conf = openssl_init....[openssl_init]..providers = provider_sect....[provider_sect]..legacy = legacy_sect....[legacy_sect]..activate = 1

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):160776
                                                                                                  Entropy (8bit):7.897311739545073
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:M2uLSdBwPPvzj+2a7wQptIkcIWqmHT+BBI/gM6Z+a:Xum0PSwQptIXIWqyH4MO
                                                                                                  MD5:CF52DBEFBE8BC2DCD493CDBF050048E1
                                                                                                  SHA1:AED132B049C77FD77645D07B443E1B4E96CB5E51
                                                                                                  SHA-256:8080E398EDC43E652C0A104F62AD3C865E9BDC75C2E3936870DEAF43FEDBC3A4
                                                                                                  SHA-512:75133444A893002B9933EB3A44B66CD862FEDC9C05579B188EB250BBC3CC00C61533FB3AA58A1D9B89B45F83CFF8A3B02CB0FB605B299E0E7BACE13B99020207
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,..h..h..h..#...b..#......#...|..#...j..nN..w..nN..x..nN..|...N..k..h.....h..i...N..y...N..i...NU.i...N..i..Richh..................PE..L...J..e...........!...&.P.......p..P................................................Q....@.........................l...P............................L...(..........................................<...............................................UPX0.....p..............................UPX1.....P.......B..................@....rsrc................F..............@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):106496
                                                                                                  Entropy (8bit):6.320347627393314
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:gdvQnJ9Cy5G4XmkRCXZ5YPPAq4SjIZUKzFrRjbuPp9ABU:gdvby0lZ5YPPAq4SjIZUKLjbuPTgU
                                                                                                  MD5:D858121C47064F3DD7DDA829D1E01620
                                                                                                  SHA1:5F46AFAD5EEF3CA6E06D6D9DD660BA21A1CAD711
                                                                                                  SHA-256:C4324843F73B573D9D569012E37D17A34E17D0DBA55CB77993531A42667994B5
                                                                                                  SHA-512:C807D41739FA6519F0C3662C47BDD58860F87068177A9024C0E6C98FE9A27E2C73A57F81909AFD9A7756F3D54C88AC8007EE37E9B3FA5F0A04E3F8A9BEC74D20
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......K.>..S......#.........:...............0.....m.................................a........ ......................P..o....`.......................w...(...p.......................................................................................text...............................`.P`.data........0......................@.`..bss....4....@........................0..edata..o....P.......*..............@.0@.idata.......`.......6..............@.0..reloc.......p.......:..............@.0B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1326600
                                                                                                  Entropy (8bit):7.8708551072063875
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:U1RJO1z1sYP0y5EU9dt6VpjccWjqV9JSJkj+KuZzwBMwNG7RHHsi4+uC5:UtO11sYF5LGVyfqV/TyDZzsMEQw+uC5
                                                                                                  MD5:72D867E8C7A84374AA72BF7FECA4334E
                                                                                                  SHA1:BBE4C42BEB19A1F23BFBCFC5A67164D5EA29784E
                                                                                                  SHA-256:17D29B81FAEA714B5A93008711D92D1329B22244A2E9F56736064CAA4FD3CD84
                                                                                                  SHA-512:B523DF6FFE4A51180CDF2BDA761B01A521391A6B24E081309C33C91835C19BE96015B932D527822F5837802A979A3C48F5CC111892C47C082E8BCB8F2115AC3F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V...8P..8P..8P..;Q..8P..=Q..8P..<Q..8P.S=Q..8P.S<Q..8P.S;Q..8P..9P!.8P..9Q..8P..8P..8P.S<QV.8P.S8Q..8P.S.P..8P.S:Q..8PRich..8P................PE..L...%..e...........!...&.....0....(...:.. (...:..............................@<......v....@...........................:..!....:.@.....:..................(...6<.....................................t.:.............................................UPX0......(.............................UPX1......... (.....................@....rsrc....0....:..(..................@..............................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):374280
                                                                                                  Entropy (8bit):7.91728824512086
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:WYe2D4vE6mAQmh9ophnxdm2U6jpn99hURD+2XIG/jNsfowDmbpNsD5PK07OxI4ME:1DqqAQnvnxdmFopn98hR/jGnDOKSsNTY
                                                                                                  MD5:278D7F9C9A7526F35E1774CCA0059C36
                                                                                                  SHA1:423F1EBD3CBD52046A16538D6BAA17076610CB2F
                                                                                                  SHA-256:12177DAE5E123526E96023A48752AE0CB47E9F6EEAFC20960F5A95CA6052D1B8
                                                                                                  SHA-512:75F8C4856FB04B2D5E491F32584F0AAEFA0D42356E12320CBCB67DF48E59C7F644512C2C5146FD7791C2CCB770FD709A8D8E4C72EAFB74C39E1336ACCB49A044
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......g7..#V.[#V.[#V.[h..Z.V.[h..Z.V.[h..Z7V.[6)2[%V.[6).Z3V.[6).Z;V.[6).Z.V.[h..Z'V.[...Z&V.[#V.[.W.[...Z.V.[...Z"V.[..0["V.[#VX["V.[...Z"V.[Rich#V.[................PE..L....)he...........!...%..... .......c.......p......................................+\....@..........................v.......u.......p...................(...........................................e..............................................UPX0....................................UPX1.............x..................@....rsrc.... ...p.......|..............@..............................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):623056
                                                                                                  Entropy (8bit):6.452703221703766
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:vcqfl06LEuieb/drb93hVzyp5dl+lyyMKhoRZhD9ZKck9Qh/5Ffdw0CnbHu9gJJt:kqdFzbFrbUp5dl+lyyMKhoRZhD9ZKckB
                                                                                                  MD5:B03D660319962C265C8A5E6F89CD019D
                                                                                                  SHA1:289BA87563ABA33D9385C04834745AF4F5BE1882
                                                                                                  SHA-256:66ECEBD3D11557D42AE33B64E522F371D6D27651B8B7350BEF41F691FAB1465E
                                                                                                  SHA-512:F5376FE1195A14DCC4F1265F61088EF0452C72DCF17F0B7AA4ED4DB903347C60C9557E556DEAF0244DB0A5F3EA8B7065D7D66BD1638D1EC566EE26110854D5E1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......97..}V..}V..}V.......V..t...tV..t...mV..t...zV..}V...V..t....V..t...|V..c...|V..t...|V..Rich}V..........PE..L......Q...........!.....b..........+*..............................................?.....@.............................Uh......P....................j..............................................p...@............................................text...~a.......b.................. ..`.rdata...............f..............@..@.data...$.... ......................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                                                  Category:dropped
                                                                                                  Size (bytes):341512
                                                                                                  Entropy (8bit):7.896157399444813
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:M9tl9yREhb42jcvlftvY5RL2vu2K2KTYJ1EbH18sggSNOCZ174h5o1YL6yTlNhRY:M9tcu4Jlft1223K61EjNSNOWih5y38lu
                                                                                                  MD5:99A6A9656DA926AF8AA648D50B47DCFB
                                                                                                  SHA1:81DB96003BD8F63250ABC7E59FB35E0227D3F28A
                                                                                                  SHA-256:FDF1F9D0AF4FF8E5CBD4387D6849327E91F0EEDD1BEFE58D7DD8B6EC40E90A98
                                                                                                  SHA-512:16E850FDABF76A11ED4176E0FD57DAFB64FAF9551EA220D003C5A86AFF8C39AB40D66F7AC7FCC6EF71CFA7E1D6268BBC23E32AA5CF69DF58A5D05F666701F3C0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........t.....................V................................................................................Rich...........................PE..L......e...........!...&.....P.......b.......p......................................3.....@.........................lt...>...s.......p...................(..$.......................................|d..............................................UPX0....................................UPX1................................@....rsrc....P...p...D..................@......................................................................................................................................................................................................................................................................................................................................................4.01.UPX!....

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1080328
                                                                                                  Entropy (8bit):6.546182768824596
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:B99IeBE76bZaCUrF0XbuqIpInZVrUCzfk44dN:B9S+EAZeY/UfP
                                                                                                  MD5:86E88F1FB340A5277C93EA1CE13BBC3A
                                                                                                  SHA1:89AC87A63B5F8FF5510A555F5FB9F033BE6CA684
                                                                                                  SHA-256:36835DDABB167330B4714B106B7C26E8DAC6A9ACF7C48A9967049B0FAA6BC709
                                                                                                  SHA-512:2131686FFAE474AD8A98A20B18DDD5A9E19C86B76FE2F3B4A2E648F3990F43EA4855AD72F2B33C9D89174E23A4FBAE1F9D92EDA0672A32D1FF90E7F3A79AB996
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....TN...........#.........P.....................q.........................p................ ......................p..............................T...(...0...9........................... ..........................P............................text...L...........................`.P`.data...............................@.`..rdata..............................@.`@.rodata..............|..............@.`@.eh_fram ...........................@.0..bss..................................`..edata......p......................@.0@.idata..............................@.0..CRT................................@.0..tls.... .... ......................@.0..reloc...9...0...:..................@.0B........................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6329352
                                                                                                  Entropy (8bit):7.4738813606885115
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:196608:Jt6kO6/VTpHN7Znz3/8ocePOfY0VkOl9By453fA9NBF7QmQVmdYdlkSImp:QDiBFVImdYIE
                                                                                                  MD5:AC2D9A2E18E2E094D7B5CA8E817E3FFF
                                                                                                  SHA1:3371C9E19CCE06550E79C6C8FE679500468B1EC5
                                                                                                  SHA-256:0F23E1B1E15E7C1D4195CB8F2084826AC71D0859FC0DB6B32A5742F91F8F85D3
                                                                                                  SHA-512:1D1C390BEAD73C3D9493BBFFDBAACF1FC28082ED191343BAED84FB7DE47B98DD9AE554453A5A7654180FCDF4BE0D0804D813E7BBF4CE25639166CF476D995853
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........p.5;..f;..f;..f.c.g&..f.c.g:..f.c.g...f.c.g...f.c.g:..f.c.g...f;..f...f=..g(..f=..g!..f=..g...fU..gb..fU..g:..fU.tf:..f;..f:..fU..g:..fRich;..f................PE..L.....f...........!...&.F...nD.....J0.......`................................`......-a...@...........................".p... .".......#.`.:..........l`..(...`^...... .T...................@. ....... .@............`...............................text....E.......F.................. ..`.rdata...u...`...v...J..............@..@.data........"..j....".............@....rsrc...`.:...#...:..*#.............@..@.reloc.......`^.......].............@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2005000
                                                                                                  Entropy (8bit):6.624696799511872
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:rwkv3AEJVKqoLUlWLSEs8DpybBXpL3yZBvlO5:rwC3j2qAUlWLSLmpGBXpL3yHlW
                                                                                                  MD5:0D77D0EDAB71BC7CE8548046C6F5A20D
                                                                                                  SHA1:E36342F383ABF011CF58ED60EB13D91BA34E3A34
                                                                                                  SHA-256:BEB0305A0FB9A46968FFB2BC79517A99A576035526C84BDBDF9BE133F011C664
                                                                                                  SHA-512:DED77DCA4844392C1B1DCC15639D0B25F7D63280004FD0F04841C7B3888A3C57A6C87D21D49E2C5CE2896424A10ED8268D279C6DAD75C79CEB534B7722D539C6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..7..7..7.....-................6........7..N..1(.$..1(./..1(.]..Y(.<..Y(.6..Y(..6..7.}.6..Y(.6..Rich7..........PE..L....f...........!...&............................................................C.....@.............................<...L........p..hA...........p...(..............p...................@...........@............................................text...u........................... ..`.rdata..............................@..@.data...@........X..................@....rsrc...hA...p...B..................@..@.reloc...............Z..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1983496
                                                                                                  Entropy (8bit):6.6299038070846645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:NIYgCqjym2NozCi6nYZsv/WXS6zuB41zLeBI6J:N7gll1C5nYZsvOXS0s41zLeBIq
                                                                                                  MD5:75AB51BAB8CD08516EB80A3BF7731B02
                                                                                                  SHA1:004A198392505D21FCDFF8BBA03D90496FBC284F
                                                                                                  SHA-256:69B43E8DDB44805F4B8D0DFE96E87AEAF62539222AC3EC3D76A181111C42C8FE
                                                                                                  SHA-512:7FB64882BDDA4E60DBFB73879AE1A6F35E6F6ABBF2E35EE3C599AA4721EA001D026A43AC8AA480E850DEFBE5ABD28A24EB0EEC09F31C433466B70D1C9BEDFACC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p&{.4G..4G..4G...5...G...5...G...5...G...5..5G...5...G..4G..}D..2...'G..2...#G..2...VF..Z...2G..Z...5G..Z...5G..4G..5G..Z...5G..Rich4G..................PE..L......f...........!...&.............................................................1....@..........................L.. ....M..T....0..PA...............(......`...X...p...............................@...............@............................text............................... ..`.rdata..............................@..@.data...8........V...t..............@....rsrc...PA...0...B..................@..@.reloc..`...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2106376
                                                                                                  Entropy (8bit):6.6280788769386465
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:y48idMQ9Y5ZcUJ7eUDnfc2/wkj344rVDqef5IIuV4aj:84B9Aew7zDnfc2/Jj344rVDqef5A
                                                                                                  MD5:942C70152BA3244B62A888D6A938BF53
                                                                                                  SHA1:634E1E1BF677583CA95F576CF6B637843B4A1FF6
                                                                                                  SHA-256:54E7615D9793B38A0132A3363A81791D1DCA92E50772919FF341B7537FD6CB6E
                                                                                                  SHA-512:2C1873E205659FCCD575E7E84E710607C7F1F9048F3F20A02135B0BDCB5685ADB81D404E58E03FF141A7B045A02417F7B7349AEE8C2BB3FCAEA7E386C12A0020
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N-...LyL.LyL.LyL.>zM.LyL.>}M.LyL.>|M.LyL.>.M.LyL.>xM!LyL.LxL.OyL..}M.LyL..zM.LyL..|M.MyLd.pM.LyLd.yM.LyLd.L.LyL.L.L.LyLd.{M.LyLRich.LyL........PE..L...,..f...........!...&.....H.......c........................................ ......' ...@......................... ... ...@...|........D...............(...P...!......p...................@...........@............................................text............................... ..`.rdata...9.......:..................@..@.data........P...\...8..............@....rsrc....D.......F..................@..@.reloc...!...P..."..................@..B........................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2348552
                                                                                                  Entropy (8bit):6.688294936308829
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:HTRAnBdwDzYRzDHUF0GYbijFnrQ/W+52Nc5hM0wTcC1za:HtABCDozDUF0zbijtrQ/W+52S5hM0lCY
                                                                                                  MD5:03C936EF7404BF8AFE5CBA9DE78CB739
                                                                                                  SHA1:B4A5A4FB99A0F8BE1C8EFA19B4FF89353C471686
                                                                                                  SHA-256:4A402E31075D7DA14D666B03B23263A051301341D0118016A72D062FF7045D26
                                                                                                  SHA-512:78B94138FD58009F38E4CE1444FC1EC19A165C32537FED1E84C10767B4F525CFE88C8F42A7F5D9E9529C8175597B9D2001F65BBBA0D6BE364D3ADE39309CEABA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........P...1...1...1..#C...1..MM...1..MM...1..#C...1..#C..,1..#C...1..#C...1...1..}2.......1.......1......y0...I-..1.......1.......1....Q..1...19..1.......1..Rich.1..........................PE..L...H..f...........!...&.....^...............................................0$.......$...@........................... ...... .......!.`E............#..(....!..5..0...p...........................p...@...............P............................text...B........................... ..`.rdata...9.......:..................@..@.data......... ..^.... .............@....rsrc...`E....!..F...2!.............@..@.reloc...5....!..6...x!.............@..B................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):108032
                                                                                                  Entropy (8bit):6.392406183079777
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:4DMkwASAlBbybU8rxkQz/g9pV9Z2dcvxp267OKiY+dp9oL:4oASAv9FYUp3OKiY+n9oL
                                                                                                  MD5:93601A93026211DE5CB00C3827883EEC
                                                                                                  SHA1:931CBC627272361425EFCAEE6362B041A3FF6E3B
                                                                                                  SHA-256:1959B8E79F5BC0AB7451F0F362A714572136503C864C974E1088B1951EE592A1
                                                                                                  SHA-512:53C5F46A1E1F188C429EE686F9CE7E0A8ED5B5BDFA51D8DD3B619B9FD61B8F6EDCC162BCBA667E6336CBED8056F0A17A614170C60059BDB2947770223D19FBC5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....{...{...{.......{.....'.{.......{.....s.{.#.....{...z.f.{.......{.......{.......{.Rich..{.................PE..L....9._...........!.....&...|......P-.......@..................................................................... r..s....k..(...............................l...`A...............................f..@............@.. ............................text....$.......&.................. ..`.rdata...7...@...8...*..............@..@.data....L.......0...b..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\reboot.bat

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3221
                                                                                                  Entropy (8bit):5.297235243948338
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:3UoGnVsAdB/+8W3/VcCDO/wAKCRIpCBIweFC4+C/+CYFc:3UoGnVldBWtejp6tL
                                                                                                  MD5:ABE8E3568B6D951E7DD395DA46531932
                                                                                                  SHA1:304D81C1B48E16533EF691A9C965818136B9583C
                                                                                                  SHA-256:EB700422C31C15757A6C70141274A184D291AAC3BDE191A964F75A90BC084143
                                                                                                  SHA-512:19A79D90883103302BDDBAC8A765C6A5196FB78C223D911633285B4BA44EBFFA9C64690102498E3BEF5991DBA0F28847473A44D4F9AA7D637A4C4D3F1EFEA12E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:@ECHO OFF..rem %1 - mode..set RMode=%1....IF NOT defined RMode (.. set RMode=1..)....echo RMode=%RMode%....IF %RMode% EQU 1 goto close_and_open..IF %RMode% EQU 2 goto normal_reboot..IF %RMode% EQU 3 goto reboot_to_safemode..IF %RMode% EQU 4 goto shutdown_byebye..IF %RMode% EQU 5 goto boot_to_normal..IF %RMode% EQU 6 goto boot_to_safemode..IF %RMode% EQU 7 goto normal_reboot_asrs....echo RMode=%RMode%....:close_and_open..net stop splashtopremoteservice & timeout /t 5 & net start splashtopremoteservice..GOTO end....:normal_reboot..SHUTDOWN -t 10 -r -f -c "Your Splashtop admin has issued a reboot."..GOTO end....:normal_reboot_asrs..SHUTDOWN -t 25 -r -f -c "Your Splashtop admin has issued a reboot."..GOTO end....:shutdown_byebye..shutdown -t 10 -s -f..GOTO end....:boot_to_normal..ver..ver | findstr /i "10\.0\.*\." > nul..IF %ERRORLEVEL% EQU 0 goto ver_nt6x_boot_normal..ver | findstr /i "5\.*\." > nul..IF %ERRORLEVEL% EQU 0 goto ver_nt5x_boot_normal..ver | findstr /i "6\.*\." > nul..IF %ER

                                                                                                  C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):194632
                                                                                                  Entropy (8bit):6.700953544041196
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:CgElAKvMslbFN3XCm3dbSDcTn6iw5t4FEvQeXyB8LGeph+K:IFD3dmABw5SFEv/ypeqK
                                                                                                  MD5:4A2F597C15AD595CFD83F8A34A0AB07A
                                                                                                  SHA1:7F6481BE6DDD959ADDE53251FA7E9283A01F0962
                                                                                                  SHA-256:5E756F0F1164B7519D2269AA85E43B435B5C7B92E65ED84E6051E75502F31804
                                                                                                  SHA-512:0E868AD546A6081DE76B4A5CDCC7D457B2F0FB7239DC676C17C46A988A02696B12A9C3A85F627C76E6524F9A3ED25F2D9B8E8764D7E18FC708EAD4475591946F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............................9...................................................................Rich...........................PE..L...4.*b.........."!.................C....... ...............................@............@.........................p...........<.......................H.... ..P.......................................@............ ..d............................text............................... ..`.rdata..N.... ......................@..@.data...............................@....rodata.............................@..@.gfids..............................@..@_RDATA..............................@..@.reloc..P.... ......................@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):107520
                                                                                                  Entropy (8bit):5.61222820248956
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:+Tk1M9FgUVRP4ZCebOnhAKmMAhyAc00dX62Cbkmcg3vtTqlsobxF:p6gUXPe0nCKmMAt0dK2CbkKvtTqxF
                                                                                                  MD5:28D920237F64F246331725C1B2A29D1B
                                                                                                  SHA1:6CBBAEAB2AAF910F7397771C4E2B5BA7D5719C9F
                                                                                                  SHA-256:79F6FADF2E77652D0D7FCFE3D82E0F2382DC373DB0F2A1D7499D1EEC0BA514AA
                                                                                                  SHA-512:D89DC5C0DA0962B43FBBAE57D373C543C1023BFDBA59721E9DE22BE6225C6207742C6E80FB737CEBC1753C4AEC53218A04187F9FF2C78FB5F0C71D7BBFC65F32
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\o^.........."...0.................. ........@.. ....................................`.................................h...O.......,...........................0................................................ ............... ..H............text........ ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H...........4...............p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~......9...s....%.....s.......o......o.....*...0..O........(...........~....r...po...........,..rG..ps ...z.rO..p.....(!....b.....o"....*..0...........~....r...po#..........,%.~....r...po...........,.rG..ps ...z..r

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2050
                                                                                                  Entropy (8bit):5.046100598911167
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3frfdbK52nKS4YHJyILsJ+J4YHKJyIv47O7Rguo3XfsnMhmMx:vrf9K5kKS4Ypy6sJ+J4YqJy3qo/sMXx
                                                                                                  MD5:7FF0AC77806AED9588B143CD0FAB552B
                                                                                                  SHA1:184B62F2956B95FFE3DC98EBB31D7F45DBCA83FD
                                                                                                  SHA-256:730D85D5EF4F0939154278949C126A444ED859E7718BB175CA3153CA6ED9D142
                                                                                                  SHA-512:1856BDA8CC3D4161110CD75A7BE4939193ED408A95F9C41E22F4CC9F85B1294584F95796BCE207DD65D606FFB57760B3D2E1681EFBBB7759A19A9F70FB7EDAC8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. <add key="PubnubMessaging.LogLevel" value="0" /><add key="PubnubMessaging.PubnubErrorFilterLevel" value="3" /><add key="PubnubMessaging.LogMessageLengthLimit" value="0" /></appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="Syste

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):200704
                                                                                                  Entropy (8bit):5.683688089372797
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hjMibqfQqFyGCDXiW9Pp/+Tl4abpuu201PB1BBXIDwtqSPVINrAfvp1:GibqI59PpOPf201/z7p
                                                                                                  MD5:C8164876B6F66616D68387443621510C
                                                                                                  SHA1:7A9DF9C25D49690B6A3C451607D311A866B131F4
                                                                                                  SHA-256:40B3D590F95191F3E33E5D00E534FA40F823D9B1BB2A9AFE05F139C4E0A3AF8D
                                                                                                  SHA-512:44A6ACCC70C312A16D0E533D3287E380997C5E5D610DBEAA14B2DBB5567F2C41253B895C9817ECD96C85D286795BBE6AB35FD2352FDDD9D191669A2FB0774BC4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.K...........!......... ......^.... ........@.. .......................@............@.....................................K............................ ....................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):475136
                                                                                                  Entropy (8bit):6.032338173466497
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:g+Idc1yb868v7OgHL1Rimqj9mWTEFxLL3Y1zIalvBFj7eP9yBherOyK:gTc139iUL1RimqdgFNYddBgyH
                                                                                                  MD5:83222120C8095B8623FE827FB70FAF6B
                                                                                                  SHA1:9294136B07C36FAB5523EF345FE05F03EA516B15
                                                                                                  SHA-256:EFF79DE319CA8941A2E62FB573230D82B79B80958E5A26AB1A4E87193EB13503
                                                                                                  SHA-512:3077E4EA7EBFD4D25B60B9727FBAB183827AAD5BA914E8CD3D9557FA3913FD82EFE2CD20B1A193D8C7E1B81EE44F04DADFCB8F18507977C78DD5C8B071F8ADDB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....3............" ..0..6..........vT... ...`....... ...............................E....@................................."T..O....`..d...........................TS..8............................................ ............... ..H............text...L5... ...6.................. ..`.rsrc...d....`.......8..............@..@.reloc...............>..............@..B................VT......H........ ..D2...................R........................................(....*..(....*..{....*"..}....*..(&...*:.(&.....}....*"..('...*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..{$...*"..}$...*..{*...*>..}*.....(....*..{+...*>..}+.....(....*..{%...*"..}%...*..0...........{&......(....-..*..(....*6..s....}&...*.0...........{'......(....-..*..(....*6..s....}'...*.0...........{(......(....-..*..(....*6..s....}(...*.0...........{)......(....-.

                                                                                                  C:\Program Files\ATERA Networks\AteraAgent\PubNub-Messaging.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):171520
                                                                                                  Entropy (8bit):5.638603609887119
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:mDmFGFDi7DBhxBFBhD9J79tDJNFUK2+6Kt1n4/GVi48CGtkfqLskm3BDaEQysVia:mVKOGV3PDaEQVVi2enxmH8ETz6b2A+
                                                                                                  MD5:E8458B60D4F251DE071B765287C5661E
                                                                                                  SHA1:B4A4D91483F658B79204EC4BE2C2012EFEFD5A63
                                                                                                  SHA-256:52C29826C96E35373F05FEFBD0F92AC9EC377CD65E8F58A945F3A86B41C3DDC6
                                                                                                  SHA-512:57B3B9CD3A47A6543E0E81A4606E7A90E4A459FE827C01EC6A21D1A64503FE6267079FA89E3120519079A1E9A0EB925F3B794D9B39F03D7EBA524393DC564BEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U.X.........." ..0................. ........... ..............................~.....@.....................................O...................................L................................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........-.............................................................~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....-.~....,..*.......s.......(...+~....*.~....*.......*...0..@.......s.......}......}......}......}..........+s.....(....&~....o....*.0...........u....%{.....%{.....%{.....{.....(.....Ps........o....o....tN...o........o....o........-.r...p+...o........o....r...p(........(......o......(....(....(......o........,...o...........(...+..~....o....*

                                                                                                  C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):378144
                                                                                                  Entropy (8bit):6.30005759256042
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:+CrkuaHqY/1EtiaDC3+Gr4iAOs+WEAO2gcmgrW09S:JmHqe1E3D/iAOsksH9
                                                                                                  MD5:9D67514FE36639B7EDA307FB46D27178
                                                                                                  SHA1:B8BA4CA6BCF2E5740B7E0F7A077FC72B1248BAFE
                                                                                                  SHA-256:EC8F92F2BCC5F6EE94605B7883E663236F2A2F578F4E610EAE9934CBD4266FE9
                                                                                                  SHA-512:4CA3BB0167F7F2512BFB1CC69B72FBDEFC4D3ED7679BA7ABD4B8C60F42DF2B95F6B44550F5A14C5843305B7705634D9B26327D87BB24F2934ABB5FF94C54AEA8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k..|.I.|.I.|.I...H.|.I...H.|.I...H.|.I...I.|.I+..H.|.I.|.I4|.I2..H.|.I2..H.|.I2..I.|.I2..H.|.IRich.|.I........PE..d...i.lf.........." ................................................................3.....`A.........................................P.......R.................../...... )......|.......p.......................(.......8............................................text...,........................... ..`.rdata...S.......T..................@..@.data...(....p.......T..............@....pdata.../.......0...^..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.version

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):50
                                                                                                  Entropy (8bit):4.101984511178706
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:3SVNHUdSBnO2RUiXXdJ:LdSBO0z
                                                                                                  MD5:51BD796C4F311A08FFB7781E5D032A93
                                                                                                  SHA1:F91A587530005F6A7EDC281B2C86FC3B0369F676
                                                                                                  SHA-256:D684BCA93AB166D9929058855272376468E4D58425040467C5BF329725468116
                                                                                                  SHA-512:421A623385F5DEC6526A6765C13C3F6F4DD177F1C11A8894618BB3EDE1D87165442749350BCFF9BF0781C8DF81C2DCBBD331A20532EA229197D14FCC82199A83
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:e77011b31a3e5c47d931248a64b47f9b2d47853d..6.0.32..

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.CSharp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1042592
                                                                                                  Entropy (8bit):6.758579311481363
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:u4NoNIdwu/Mw+u1xjx1Rb+Vu9yHTzsYVhdi4YBa72DS:uHNIdwuBLlPb+Vu9yHJXiZO
                                                                                                  MD5:58494487C1CD786C3AA26773E28B59EA
                                                                                                  SHA1:2B9E1F70AFC82DDAF1ADC1A7040FE960FAEB4D6B
                                                                                                  SHA-256:800E688FF423393F2741BE90BC6177B37F7077C11A885A3AE3C5AECEF941D521
                                                                                                  SHA-512:F4FD17EAD8F5039993B8EE9222CF61CAC841528578BDF5326B2AEB2FAAEF0CC6798DB301DC84035FFAE2BDAEADC93F7B63EAFE98727E09F25374455E2B6838DB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...._............" ................................................................0.....`...@......@............... .......................................6...j.......(......<...hD..T...............................................................H............text............................... ..`.data...D...........................@....reloc..<...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.DiaSymReader.Native.amd64.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2309152
                                                                                                  Entropy (8bit):6.414576855139372
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:jH+fGgFyzuNiG6H0n8D1gkrz/OAyFAopdrq/c/:+GgFQq8DT/ZyFDN0c
                                                                                                  MD5:A71CD05C01F0FC603C0BD782516F806D
                                                                                                  SHA1:C15E261D5E7318875D324D28AB70A883CD434C81
                                                                                                  SHA-256:7F8DCF37D9D66EAE14C48A79FA2FCD447BD0F38A21BE0203A9C4A89398AACF28
                                                                                                  SHA-512:CE53F6DC1F02889ED6FB1F8DF226F9BADBB039F79505CDBD599A00A32B6617DA5E19F2AD7F76BB8134B3CCAD39FAB2209ED8EC6AE42CD30402C4E450FC19FA88
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Wq0...^...^...^.Xh]...^.Xh[..^.XhZ...^..]...^..Z.'.^.Xh_...^..._...^..[.m.^..W...^..^...^......^.......^..\...^.Rich..^.........................PE..d....ZY..........." ...(.....\...... 0........................................#......)$...`A.........................................Z!.p....[!.P....P#.......!..W....#. (...`#..>.....p.......................(....U..@...................0Y!.`....................text............................... ..`.rdata...Y.......Z..................@..@.data....a...p!......^!.............@....pdata...W....!..X...t!.............@..@.didat..p....@#.......".............@....rsrc........P#.......".............@..@.reloc...>...`#..@....".............@..B................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.deps.json

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32962
                                                                                                  Entropy (8bit):4.3074461179606
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:+49mVEsIhKPMEPrT3XCGjDyiEc6BHa21Fe8kFN92uwtEeCJyX:voVEsIhKPMEPrT3XCGjDyiEc6BHa21F1
                                                                                                  MD5:8E0F8427C729E6B4CF95998F846A0887
                                                                                                  SHA1:201AD7BE0AD49C2C2DBE7C27B86A9295DCF0ACB0
                                                                                                  SHA-256:335A13F00FB336771FBEA2BB4A29E99E6E8BCF17B8C484091D256A99AB5DFDAF
                                                                                                  SHA-512:368D3F644361014808932F21C6324153D2A250B6FF869A8F261F68CCF2C93874F72CDE8B474B3A7E4E54A7B10649B50F83E3AE5910D325E8CF7A77BA06DD9EE5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:{.. "runtimeTarget": {.. "name": ".NETCoreApp,Version=v6.0/win-x64",.. "signature": "".. },.. "compilationOptions": {},.. "targets": {.. ".NETCoreApp,Version=v6.0": {},.. ".NETCoreApp,Version=v6.0/win-x64": {.. "Microsoft.NETCore.App.Runtime.win-x64/6.0.32": {.. "runtime": {.. "System.Private.CoreLib.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "Microsoft.VisualBasic.dll": {.. "assemblyVersion": "10.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "mscorlib.dll": {.. "assemblyVersion": "4.0.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "netstandard.dll": {.. "assemblyVersion": "2.1.0.0",.. "fileVersion": "6.0.3224.31407".. },.. "System.AppContext.dll": {.. "assemblyVersion": "6.0.0.0",.. "fileVersion": "6.0.3224.31407".. },..

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.NETCore.App.runtimeconfig.json

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):159
                                                                                                  Entropy (8bit):4.54941695087313
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:3Hpn/hdNxDI/pANC+KL4nNOcW3mJAGRM3Bojqy2VKXmHEk/FTy:3Hp/hdNyhAk+Q6NOCUo+K8EkNTy
                                                                                                  MD5:3FBD84A952D4BAB02E11FEC7B2BBC90E
                                                                                                  SHA1:E92DE794F3C8D5A5A1A0B75318BE9D5FB528D07D
                                                                                                  SHA-256:1B7AA545D9D3216979A9EFE8D72967F6E559A9C6A22288D14444D6C5C4C15738
                                                                                                  SHA-512:C97C1DA7AE94847D4EDF11625DC5B5085838C3842A550310CCA5C70BA54BE907FF454CA1E0080BA451EACFC5954C3F778F8B4E26C0933E55C121C86C9A24400B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:{.. "runtimeOptions": {.. "tfm": "net6.0",.. "configProperties": {.. "System.Reflection.Metadata.MetadataUpdater.IsSupported": false.. }.. }..}

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.Core.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1245360
                                                                                                  Entropy (8bit):6.768935404732361
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:tmvclJOXFDjW/lWSGcIyEAGY/7YlDwCi/Io+dw:QvcHOXFPW/lRGcDEAGYhCiN
                                                                                                  MD5:D9062214FEE5FE8D1903D3FCF1E1FBEB
                                                                                                  SHA1:34C9078D2F4F70646313975022A117192214FC4A
                                                                                                  SHA-256:F0D2D4D1E1B38D1449E51F5BFDC73B25C24F8659D98871BDDAF0650B88982538
                                                                                                  SHA-512:2B4A0D678B3AAD2E5665C71B9576522B0997E3B802BF260B785EDAF5B0DB390639A34EAF1F5D02B520272E1247968F9B4819198719418180ED4DBFC935C8E914
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ..................................L........k.......(......l...(D..T...........................................................P...H............text............................... ..`.data........ ......................@....reloc..l...........................@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............d....z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........R.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.VisualBasic.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18184
                                                                                                  Entropy (8bit):6.586065972352763
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:59SphH3czeYtcxWmH6t9QdWaYA6VFHRN7WDpSR9zWiBcfCg:5kHMzbJ+FClipe9z5cT
                                                                                                  MD5:F5A860792D6CE3C90865FBFBBC811026
                                                                                                  SHA1:CD7E52880FCC072C2CB743D040E7AE67C7B79D1B
                                                                                                  SHA-256:833AFA20C11993D9260EF08CA493462CC182B940ABBB7FAE0BAE359EC114CCF1
                                                                                                  SHA-512:A6FD6CCA6FDCDD18604DB8C21ED9BE7263CB779298F5BE51A05FDC1BEB453FBF3C7B7E759031CEE54F476439975F2733FED3B539F70E8D02777EAF3091220961
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C.@..........." ..0..............2... ...@....... ....................................`.................................{2..O....@...................)...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......P .......................1......................................BSJB............v4.0.30319......l.......#~..p.......#Strings....l.......#US.p.......#GUID.......H...#Blob............T.........3....................................K...............2.................<.....d.J..........."...~."....."...}."....."...}."....."...d.".....".....x.....x.............................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):26272
                                                                                                  Entropy (8bit):6.550629473321971
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:GWhPKpWCZWnjmMDQnqyXhcuolXWcYA6VFHRN7yfUiHR9z70+I:40jm5n5XivDFClTQ9zG
                                                                                                  MD5:EC5D0ACACD99FFD68DB813B11F04965C
                                                                                                  SHA1:AEEA184FA29CD03087E92D25B47EECA5DA0EC09D
                                                                                                  SHA-256:85EB1682060ABD5B680267B1F4A8FD3F9141919781A7A4F259F50AC99C1CFD5E
                                                                                                  SHA-512:C19C3B504F16015C4DFCBF4F3EF0CE2652C661823765B7FC9D709FD844831C1C03AEB3FAB9B12F850920CFA632C9C969EC6F466A13CA9AD96C69CC26D5FD2E80
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...4............." .....4...................................................p...........`...@......@............... ..................................D............>...(...`..\...8...T...........................................................H...H............text....2.......4.................. ..`.data........P.......6..............@....reloc..\....`.......<..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\Microsoft.Win32.Registry.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):87712
                                                                                                  Entropy (8bit):6.6073982140765795
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:xyjecxml5gdJKCILek2ymrsykEomWxGsViqo5qkbqkikzhma:xyjeIml5KJKCdy5ykE8xGsViqCqszjD
                                                                                                  MD5:E1E1078BD5CE3EB3865684D082839E72
                                                                                                  SHA1:DF92E8E112F30DB28B49018023E7E6433170E755
                                                                                                  SHA-256:6EB1A0E98D684C6F647092299C680186A2F80C571C137043B1AF9B0FF0518C81
                                                                                                  SHA-512:ECA6E8A8E589FF01A97D8A62F884BBC7BB9A39F074502DD3EF8B6AF0D9D81FB8F97C5DCADAF638386BBAD1E57083A4DAB475BFE80FC25488CC701D8E31596ED4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...KT............" .........................................................`......1,....`...@......@............... ..................................8...p............(...P..........T...........................................................8...H............text............................... ..`.data........0......................@....reloc.......P.......,..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.AppContext.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15632
                                                                                                  Entropy (8bit):6.786322181535639
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:/GyxxBHaW+E7WJpWjA6Kr4PFHnhWgN7agWe5Y00pyEuX01k9z3AD4IQvpIS7WcU:/zrHaW+E7WJYA6VFHRN7pEpcR9zt5zU
                                                                                                  MD5:F65763C85CFE0BE955E9BB620DE349C9
                                                                                                  SHA1:9B7A9FC65982CC76E859B5605C9DE2C384AD8528
                                                                                                  SHA-256:7C804005A4E369C54E2FEFB338C3C1BC2D0AAFA6AA6D0FEE51F9AB161B8C8034
                                                                                                  SHA-512:8173154BDA7F16957182495692E19E1B71F26D9B7E1E9CB753A7B1D05A7BFCC2F9B51B83E53343EEE02A5C312307576B5218937E238F99B6D1209F86B5CFD995
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...h_............"!..0.............^)... ........@.. ..............................-.....`..................................)..S....@..h................)...`......d(..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................@)......H........ ......................P ......................................Ba.6?o.y].'@.....H.5l..X;..g.8...!..o.1..nMFN..y.P6-...$.(v...[..v*....S.2..`..w6.yX.E..G...m...KhRRs..2+..6..7e.......7..CBSJB............v4.0.30319......`.......#~..,.......#Strings............#GUID...........#Blob......................3................................................".p.....p...;.>.........f.............Q.....Q.....&...!.&.....&...[.&.....&.....&.....&...B.&...O.&...v.p...........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Buffers.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15520
                                                                                                  Entropy (8bit):6.770683864726388
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:hb+0jWYb2WapWjA6Kr4PFHnhWgN7aIWPALBm+0U8X01k9z3AlL0w:hFjWYb2WaYA6VFHRN7uCBmo8R9zML0w
                                                                                                  MD5:63A871EC790F87FD651C5C31191669D3
                                                                                                  SHA1:B1DCA1FAF1A6C68840252F50263A3F83FCF1B089
                                                                                                  SHA-256:4505FB902833DA7A84AEE6940ECF1214FE4D58A5538C6E1B9D24B9A5F4BA542D
                                                                                                  SHA-512:FC3953902E06E563644D075E535F5F7ADB274513C608412C123520A60FA3DFE5FCC5E54D1580F7E4C35CFE3C7000414B6AE5A3985B097D85A3AFFDFADDFD6836
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.W..........."!..0.............^)... ........@.. ..............................6.....`..................................)..S....@..X................(...`......h(..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................@)......H........ ......................P .......................................P."jU.=s..u.....&%....#p..rEc...#7.{f.'......z....wO.vIF...b<......9...q..$b'...$9.$e...r.. ......I;..a..|.n.\.J].l.-[/^.c.BSJB............v4.0.30319......`.......#~..,.......#Strings............#GUID...........#Blob......................3..................................................y.....y...G.G.........r.......(.....Z.....Z...../...-./...../...g./...../...../...../...N./...[./.....y...........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Concurrent.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):246944
                                                                                                  Entropy (8bit):6.848188639113924
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:IsS/sAVyNURkbEf5+i6MKORygikbyO2aGJ0pebyz:IslArRvt6MikbD2lieyz
                                                                                                  MD5:EE80410AB6F7E4CCF5AF69610B88C961
                                                                                                  SHA1:6136CF0F7AF46A00867631E83C912F1CAA9924D0
                                                                                                  SHA-256:1ADAEC2435191BBDCB569BF6847D8DADBBD8311E8D4A197A8E589422184673FD
                                                                                                  SHA-512:62038BB7A1482B61E8465E6586CE041D8FB43600CC97A4FE9360B5A7D9808493F7E4D846B7FD83E9ADBFA00E83442208BF4955CB8E5AFB55B8C892021EBE88E9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....`...:......................................................I.....`...@......@............... .......................................e...........(..........P...T...............................................................H............text...._.......`.................. ..`.data....5...p...6...b..............@....reloc..............................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...C.o.n.c.u.r.r.e.n.t...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Immutable.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):666272
                                                                                                  Entropy (8bit):6.7865309669778995
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:Q36VIpN0cAxbgmaoB7yPXz66M4cR+c2/oMytOobmJS:Q3OZzaBruLqo
                                                                                                  MD5:2213144DBE8516B61EC845255E800E41
                                                                                                  SHA1:1B9BC3BA892B6F00AF3A83E3D7539C8118BDB551
                                                                                                  SHA-256:3A902B104DE903DDCB9C1FEC58A9D95769F31564D967008AD7232D08C5CD48E6
                                                                                                  SHA-512:916EB3A7B4306E2A47F9371DCD6BBB842435C5BDD99E967CE99736F316D445EC5212AD99BC36F1DBF705835077FBB54D415226118B4AADDFC98D6833ACA2A490
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................... ......l.....`...@......@............... ......................................4...P^.......(...... ...."..T...............................................................H............text............................... ..`.data...:.... ......................@....reloc.. ...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...v./...C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e. .p.r.o.v.i.d.e.s. .c.o.l.l.e.c.t.i.o.n.s. .t.h.a.t. .a.r.e. .t.h.r.e.a.d. .s.a.f.e. .a.n.d. .g.u.a.r.a.n.t.e.e.d. .t.o. .n.e.v.e.r. .c.h.a.n.g.e. .

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.NonGeneric.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):101144
                                                                                                  Entropy (8bit):6.4771157203569025
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:vQqNPxgJRRQWsBTkyo+XBQCXeCLDrkEIE:4gxgJRbZEd
                                                                                                  MD5:C12C92B54FB343C99F8D01768A366D6E
                                                                                                  SHA1:51356DD0B443F14D894F9594F99F115B005104B1
                                                                                                  SHA-256:454712AD098DBB00653234FB5E7FB5E6EA7820813D34F0833BDB0D0CC7186CB5
                                                                                                  SHA-512:04D4E99B80083A9D6211945210AFE039917D182FDAD0BA035D8DFB076A048ABA3CEC5244E68C06C0068FA592468087EACFA164938232B015E4AE785DDFFAAF04
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Gr............" .....L..........................................................?.....`...@......@............... ......................................83.......b...)..........X...T...............................................................H............text...@K.......L.................. ..`.data........`.......N..............@....reloc...............`..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...N.o.n.G.e.n.e.r.i.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.Specialized.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):95512
                                                                                                  Entropy (8bit):6.5344887890851435
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:da5jcaL7hPvoiTCxaDVvkDTC5O7/LyY20SRhpVeypaWszC:dmQC7ZNBsDTs+zyY20SRhpVeygn+
                                                                                                  MD5:47D9EE750FD6A7828D0A6CA892BC9E46
                                                                                                  SHA1:B0C23A5894F29A6725209E0EE38AAC135C506F8A
                                                                                                  SHA-256:53A99E65EC985625A9CC307F1307D2B8B353388A60E311DF1E7467D7DD22E6BB
                                                                                                  SHA-512:36C793702FED17B293A8204D555B1675E5297BA5DB84A3576324E4CCB601F1ED0A6B7BF997E51C9B77C5DCFC39D4639F5F3A30BC7D825CD7304A741CC816AA8E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....+..........." .....6..........................................................k.....`...@......@............... .......................................0..h....L...)...p......P...T...............................................................H............text...x4.......6.................. ..`.data...\....P.......8..............@....reloc.......p.......J..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s...S.p.e.c.i.a.l.i.z.e.d.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Collections.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):264992
                                                                                                  Entropy (8bit):6.7616104773576104
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:f0bzf+JuwsctkH2KrzQ5t056pAje2l3ki7CL/df:f3JuwDiHQNW/7CLlf
                                                                                                  MD5:1EA34151310783585A8326FEF2FA355C
                                                                                                  SHA1:19F78734D779A14DA4B09443395A57BAB652353C
                                                                                                  SHA-256:61EF7CE0CB1459E2D58AF1795DD0BAFE8C925DEF4620D7EF756BA8EA9C51C0B6
                                                                                                  SHA-512:8C42C677026FBE809FB70DE051FF84B31653B07C5D0610358721E529F13563173729793E77F96EF0D966221E1BCE1A863EEBA7E65463A0B9734D5E5C798F95B0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...O............." .........@............................................................`...@......@............... ..................................t...,].......... )......,.......T...........................................................x...H............text............................... ..`.data.../9.......:..................@....reloc..,...........................@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.l.l.e.c.t.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...C.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Annotations.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):187040
                                                                                                  Entropy (8bit):6.460139009818362
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:1vPOpAmODFRGaOsFLvjF8IbGumTG5D5/vbF6d+F7iWY9LYw8XBd:h2psT2q1QG5NF7xwLYw8z
                                                                                                  MD5:AB0D22D8A5CD9A8C09A8E7E8F4B105B1
                                                                                                  SHA1:B9665F5A2298FB916935FE0D57A2AF351BBC8355
                                                                                                  SHA-256:4F5273AC3DE8AF28FB9DC7F931AAEB436E830EC79A6BB7B30790149F748A81E0
                                                                                                  SHA-512:157A76501C1C233CEBA5A0E77566DFA90FEA0153B7C3DDFB6D99F8809BF817774E6193EDD46B026F149BC0C07E405A0998EE511FD6914080FF14412B56236E78
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...d............." .....v...:............................................................`...@......@............... ...................................... G...........(..........("..T...............................................................H............text...*t.......v.................. ..`.data...a4.......6...x..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...\."...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...A.n.n.o.t.a.t.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...l."...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.DataAnnotations.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17672
                                                                                                  Entropy (8bit):6.641311069044931
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:B8imyfJe9eGXxC4rcUXWuQXWWYA6VFHRN7Y6/7R9zb3cW4:B8jY1VFClY6F9zoW4
                                                                                                  MD5:593284F27C1B10A3B988C719A80F42B0
                                                                                                  SHA1:8DAA1B77155A6A80943E7CDE345D0D6A5D3392D8
                                                                                                  SHA-256:451E52F8C52FA0CB5F6F9F0AB15948B7F0F31371FBBA578DE9BDBA414DC0438E
                                                                                                  SHA-512:5C54051004C55CF2D7B25F3D74BBABA051EB79F510383BDBF0E62F622B02C9E752C4D3F11005533D2C0F2F6542A371D0672101A8FFB8BF6F70F952E5F138E63F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............0... ...@....... ...............................=....`.................................;0..O....@...................)...`......8/..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................o0......H.......P ..h...........................................................BSJB............v4.0.30319......l...D...#~......L...#Strings............#US.........#GUID.......X...#Blob............T.........3....................................+...............M.p...P.p.....]...........................O.....7.................>.....[...............................9.....p.................W.....W.....W...).W...1.W...9.W...A.W...I.W...Q.W...Y.W...a.W...i.W...q.W...y.W.....W. ...W.....W...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.EventBasedAsync.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):38576
                                                                                                  Entropy (8bit):6.482988194804308
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ZWvdwWWoG2fC/yrkEWyiIo/DstPAoWbEwbLmkDxTip9kZFDXSO88+6EZccdwVOR0:IkdyrkRPwqfxI484taDuKWWts89zi
                                                                                                  MD5:B90AB8335BE300D2D6CCD4A8D6F9B087
                                                                                                  SHA1:1E0C8A067E0ECDE4EE76B92E0B4584BFEC356B80
                                                                                                  SHA-256:D84C335A6D2CA1BC60A08ABB82EAE992865ABEA238EE9AECF409709E35A1D8B3
                                                                                                  SHA-512:1BF05FB931667B0D85C2DF8219A135647FC92A0DC59FFF352B88570694E719AB1A81E7942F555EC4F14A57EDB0A04CFAD1FB3884DE2FB0EBCFB3BD6EC5EFAF67
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....b..........................................................q7....`...@......@............... ......................................$...x....n...(..............T...............................................................H............text...Ra.......b.................. ..`.data................d..............@....reloc...............l..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...d.&...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...E.v.e.n.t.B.a.s.e.d.A.s.y.n.c...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...t.&...F.i.l.e.D.e.s.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):75528
                                                                                                  Entropy (8bit):6.423261308572458
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:XnGO8FwPsQAtTKNI6T1mb1yF0YDC2oKQ15hv97Q8a7ehFClV5iK9zH:3GeUP6kYFlC2oKQVZ8uiV5nzH
                                                                                                  MD5:1F9A3B96F29E4D2F255F9F415202545E
                                                                                                  SHA1:5C7C07B718C0F6F4BBFFFC2F0B15EC5FFC71A18C
                                                                                                  SHA-256:0C7FEC8BB98188024E540B5B07138DC687A64A7BD7BCB0184F94B883CCC6573B
                                                                                                  SHA-512:88A435AC1F0EE381E8CE873D1B59BDF34C94B9C081C83421AB0960954463CA44A8DFCC1899FCE4CA9EF3F1B04A7E2F1534B0C1A2E3D03213638F00B7E7942261
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....i..........." ......................................................... ......t&....`...@......@............... .......................................&...........)..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...P.r.i.m.i.t.i.v.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.TypeConverter.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):744608
                                                                                                  Entropy (8bit):6.69105296530575
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:D9LNoeQ4iz7+tGNAZ4TVR+aAFMAmquhQa734HqPl0nVUSfDNzPJ8QeBnd8ctZI3B:v54jTVR+aAFMAmqu72KQeBnDtZIdl4le
                                                                                                  MD5:0103B7C4543CE5C30E0772318D95903A
                                                                                                  SHA1:43576B591E533BD165FCFE67C795B29C413FA45E
                                                                                                  SHA-256:607B67AA9B2DED9244581F7695D0F13F1B42231632AFCC42B1292A51E17B5D42
                                                                                                  SHA-512:A4547E5DF90BA94723CFE3DE77471EF644BD92E3800B367483EB8A2A99079AB4A6009B27AECF253C6C611768D8E27509215A492997779BD216BD91DEC408B3BE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...u............." .....h...................................................P............`...@......@............... ...........................................]...4...(...@.......=..T...............................................................H............text...kg.......h.................. ..`.data................j..............@....reloc.......@.......&..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...`.$...C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...T.y.p.e.C.o.n.v.e.r.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...p.$...F.i.l.e.D.e.s.c.r.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ComponentModel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18592
                                                                                                  Entropy (8bit):6.578998888705223
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:IpW4W1WhvBQScpij+7Co0WECYA6VFHRN71Bmo8R9zMLK2B:lnScNx7FClHmoQ9zFM
                                                                                                  MD5:ACFE404D1F4FC2A4764CB8730F694669
                                                                                                  SHA1:4B226ED287BDF7BA97E7920A0A63D72984DA8737
                                                                                                  SHA-256:C3BBD79CAD9FC5A8131A2A80E452EB517B470D7AA890BB0D9DAA85733705DCEA
                                                                                                  SHA-512:8D970290BB05E05AEB94B109B326C354B9F5C60A6DF276D3DE48AD7FF3E5F11CA8CEABC9898595B30AEA3B2A776F04457B4A4878F7ABAEDE11A18C244CB935F8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................P............`...@......@............... ..........................................`.... ...(...@...... ...T...............................................................H............text............................... ..`.data...N....0......................@....reloc.......@......................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...C.o.m.p.o.n.e.n.t.M.o.d.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Configuration.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19632
                                                                                                  Entropy (8bit):6.558847302673581
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:HXoWX0yXQB1uXTSv/fvNRvGZYdf3zyP/weAEyUDhlWvONWHX6HRN7P6R9zqg67Pv:QniA2eWP29zm7jz
                                                                                                  MD5:5F280F450CBCE8D1E6604BF2CEC2420F
                                                                                                  SHA1:318D47DD9EAC1856356F2BB2A7A688F0B5B6EA7D
                                                                                                  SHA-256:EA9D9416D88ED906C118675224CA7DF5DCE0B6F7E0A9FF0331F32D56718B116A
                                                                                                  SHA-512:8D0A77D17D63AEE05308E5F167B17B5615F705802A3FA45FB91B003A47C4289CAFA8C7814D121F83E8DA37B3CD86AD1A89CDDAA7AA717E46E9F6DA3547E49A12
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....D]..........." ..0..............9... ...@....... ....................................`..................................9..O....@...............$...(...`.......8..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B.................9......H.......P ......................88......................................BSJB............v4.0.30319......l.......#~......h...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................h.....D...............s.......|...............D.z...............Z.................0.....M.................<............."...,...................v.....v.....v...).v...1.v...9.v...A.v...I.v...Q.v...Y.v...a.v...i.v...q.v...y.v.....v. ...v.....v...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Console.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):156832
                                                                                                  Entropy (8bit):6.5964367947706215
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:K8z3iIcbCwq+p1waxbwbKBUOmOaYMGFyCN:veLh67clFys
                                                                                                  MD5:201166FA1E8E70153B374329A0FD284D
                                                                                                  SHA1:BFB399E7F79619B38BE849AC6B6A98AEE8E6A2D4
                                                                                                  SHA-256:0DCE6AEBDD65D76FA922723DA65CA8BF1207F93B44B0B201BB2FE16A24A7EDA9
                                                                                                  SHA-512:B05620B66789CB71635258A7BAB8C7D7B79260CDCA22EE9214241B017BAB8C2D31583ED0A2DE02AABDCDD39E4FD25FEF4292D6E221CF56F2500DC6F92F014188
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....^}..........." .........$...............................................`.......S....`...@......@............... .......................................<.......<...(...P......p...T...............................................................H............text............................... ..`.data........0... ..................@....reloc.......P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Core.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24328
                                                                                                  Entropy (8bit):6.298742718525896
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:8sIbPFWOUSnPEW51b04H9DGMq/tE8aQjryAkxkBm4U1zXtBC17KIDRWXb2WjYA64:8vPFWOUSnP751b04H9DGMq/tE8aQjryH
                                                                                                  MD5:40D5E469C55306B8672F327B8E4B9667
                                                                                                  SHA1:EB53D4C4978A760DFB27FDA5934E023102FFD64B
                                                                                                  SHA-256:5EF5D3758C1B1EAB45BBD17D6CAFBFF6510E284A47E385C81DAEC6559D5A0796
                                                                                                  SHA-512:34D9D261B2DECDA332D1E6469F903E436CB66FA6780C6091AC0FFB7846998A18674191132B3E55778673D5164EFA5CBC6D0DF28BEAC1F8B896FDFE086D82A5B2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O.\..........." ..0..,...........J... ...`....... ...............................7....`.................................CJ..O....`..8............6...)..........tI..T............................................ ............... ..H............text....*... ...,.................. ..`.rsrc...8....`......................@..@.reloc...............4..............@..B................wJ......H.......P ...(...................H......................................BSJB............v4.0.30319......l.......#~..........#Strings.....%......#US..%......#GUID....%......#Blob............T.........3............................................................................1.N...c.................y.....0...........].....z...................................K...................[.....[.....[...).[...1.[...9.[...A.[...I.[...Q.[...Y.[...a.[...i.[...q.[...y.[.....[. ...[.....[...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.Common.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2983600
                                                                                                  Entropy (8bit):6.812192303137626
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:QGXvwoaHeJ4TJYdj/Ic8u07EPba92I7aE0Vnv1XgVi4nNmccxbDpBsnTzkt2By6:FXIle6lscc+mxEx
                                                                                                  MD5:03E0F23A9AFFBE826691D59679FC59D9
                                                                                                  SHA1:629C03AC4766F367D21F6C8C9661DB55B7C8181E
                                                                                                  SHA-256:2798A9381AF5A44D712F2DDCF8CF123F9BFE9CA2514DD1997595D58F4B6CF6BE
                                                                                                  SHA-512:918EFE2983F2BE6105321414CFAC95ED629CAEBDA037EC64497EAF4BDC43D26DF1DF1E47FC2F073044854DD3E53CC45DD5348C8DBC8A2AE41EA55CC41818A8E8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....r+...................................................-.......-...`...@......@............... ..................................t....&...K...^-..(...`-..&......T...........................................................x...H............text....p+......r+................. ..`.data.........+......t+.............@....reloc...&...`-..(...6-.............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.a.t.a...C.o.m.m.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...D.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.DataSetExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.654164203598564
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:CILuSHbxjWa07W7YA6VFHRN7O049R9zaxW8:LuPwFClO069zQW8
                                                                                                  MD5:D4DB1A835333B83021EDBD1EDEB6D27B
                                                                                                  SHA1:2C02C06D2C5833E9D4C7B9A39B411E8478F0E016
                                                                                                  SHA-256:9B6A7F9CD4931CC9D5186F72A9159D23F72ECF41DF5F8839B032CE16BA37EBB2
                                                                                                  SHA-512:2458D1AE4D2520FE1EC682BDEE5B6CBDE06614FB27CFE5357E35C8E2BAEA2B9A8FE7321ED9926BC3667F225010D12EC63C862CB582A874041B98963174139DEB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%............."!..0..............)... ........@.. ...............................|....`..................................)..O....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ .. ...................P ......................................C..g9..xrD .l...?+ES....d2DeGs.+p..5!......F..N.......~....,.J....t;....E>.b.]4...SQ^..(...d>`..=.......D.}.[.`..&.]..&...4BSJB............v4.0.30319......`...H...#~......X...#Strings............#GUID...........#Blob......................3................................................E...............................:...'.A...i.A.....A...~.A.....A.....A.....A...e.A.....A...........E.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Data.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25760
                                                                                                  Entropy (8bit):6.240856087154136
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:wBaJC9XmGP2SoxDZQe/9hyWiWFWiYA6VFHRN7I/6fR9z+A7:wwsXmJDZQIbFClv9zh7
                                                                                                  MD5:66CBA8908CCE9E4119AA1262BC47154F
                                                                                                  SHA1:20AAD849038632117C90B367F470E41845F21F34
                                                                                                  SHA-256:A9EEB0AA352B4D59A050ED8299CE9D901DEBAF83E9E5FADA36AEA1BD0194554C
                                                                                                  SHA-512:1503DCCC3BAA87B3CE87CAF17E926DCD4308B2CEDAC90E9552671F6CB41508506A12DB3BF1262B1ACAFCC8AD4C4B1A713D963A2547C0A61C241C6DDD5E947745
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..2...........P... ...`....... ....................................`..................................P..O....`..8............<...(...........O..T............................................ ............... ..H............text....0... ...2.................. ..`.rsrc...8....`.......4..............@..@.reloc...............:..............@..B.................P......H.......P ......................HO......................................BSJB............v4.0.30319......l.......#~......0...#Strings.... ,......#US.$,......#GUID...4,......#Blob............T.........3....................................<.....[...............:.................A...........o...........!...........R.....Z.....w............................... ...........#...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Contracts.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.777665372573317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:D9teWZPxxe3sW6r2WnpWjA6Kr4PFHnhWgN7aIWe8/KIjwX01k9z3A8Pl4:5EWzA3sW6r2WnYA6VFHRN7dbHR9z794
                                                                                                  MD5:C46E8A594D74758F7B3687CAF3926A27
                                                                                                  SHA1:ADE52D2084F59DF1C8AF87838B6FB28CDB2FEC28
                                                                                                  SHA-256:8AC0FFAABC3F3265B4CB9FA0A301D11B51A46DC912111CBC28ABFA2F2586B9CD
                                                                                                  SHA-512:D76A401A8A20F3345102DA20770ED598F9FA0DB60175D6483BD15CE4109777EDB95F28BA90EEBABDA960D47D3ECFCC39AA7012F75D32ABB0896B23DD08060C8C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Y............."!..0..............+... ........@.. ..............................64....`..................................+..W....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .........................................i...K.5..p.J..[..SfM......r2...d.....0nO?Y...Mc..y.xHRK..}%..7*.W.f&..M...qYa...e...qtD;J%. .F.......6....{qQ...qcnu_...XBSJB............v4.0.30319......`.......#~......H...#Strings....8.......#GUID...H.......#Blob......................3......................................Z.........9.........................,.....{.........F...........5.............................#.....p.........................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Debug.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.762856659311949
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:NR1bwxx+YW2rmWcpWjA6Kr4PFHnhWgN7a8WW9aqcnCjVi6KrIX01k9z3ALxLwf:NaoYW2rmWcYA6VFHRN7j5w49R9zax0f
                                                                                                  MD5:8F3DF1C8A4747BE297926B0E6947A230
                                                                                                  SHA1:836967D203FAE86256A5E61C9086DBE4F5D6E35A
                                                                                                  SHA-256:F2B8865DCE56FF9064E31939066AEA954F5765C4AE82C852EAE28686DBF9A65F
                                                                                                  SHA-512:D4850721E5FA9709B0FA7AF685164DDDD9CD4B3EE8290CA02643C20F4D1B16EAC8E597736D1B02CC4F1DE5753E661EDA8D7D86B47D3850483D8C3617922C2A41
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...<............."!..0.............n+... ........@.. ...............................u....`..................................+..W....@...................(...`......`*..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P+......H........ ......................P ...............................................a...[;.;8......%x.3X.tH.....d..M'.".?....w.M...............-*.:.MV.r.)oxh..EJ...1.59O.....n.(.$....N..z.R..$.?6L.vuBSJB............v4.0.30319......`...t...#~..........#Strings............#GUID...........#Blob......................3............................................................o...................4.................;...8.;...].;.....;...F.;.....;... .;.....;.....;.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.DiagnosticSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):380592
                                                                                                  Entropy (8bit):6.735675584761259
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:FkrYIYOg3BqTtasHnkWg62wafPoSVsybyCrEVYE9J01Tp1:6G3BkBkwoPACrEVtQJ
                                                                                                  MD5:FE19AB7B45430314F9B9406779A5F383
                                                                                                  SHA1:2733B7326CC7C5587BE27C93F936590E642D13DE
                                                                                                  SHA-256:FD2953B1294DD406194DC06383643C1ECE065852EFC70977E363C5D811A52475
                                                                                                  SHA-512:5E72487FA8F4398BC40D6B120578E7A05C47C8E351DFB7845E7BADB7313B903BAB98DDDFF60F9BFBC12E203BCEC5AE8A4085EB16F79BAFC98929EBCF50BA64D6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....s..........." ................................................................;.....`...@......@............... ......................................`....+.......(.......... )..T...............................................................H............text............................... ..`.data....}...0...~..................@....reloc..............................@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .C.l.a.s.s.e.s. .t.h.a.t. .a.l.l.o.w. .y.o.u. .t.o. .d.e.c.o.u.p.l.e. .c.o.d.e. .l.o.g.g.i.n.g. .r.i.c.h. .(.u.n.s.e.r.i.a.l.i.z.a.b.l.e.). .d.i.a.g.n.o.s.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.FileVersionInfo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35488
                                                                                                  Entropy (8bit):6.4777955962711955
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:fWd6V9WHoyr50a+3ZgW1n6lsLiKqFCM1nTrmCwCBZ0oMaPeYA6VFHRN7gR9zpA:DCEpgW9LiKqFCM1n2CwWZZkFClc9z+
                                                                                                  MD5:51338B3400E2014F4B2EBB188760F8F8
                                                                                                  SHA1:C1EFC054DFA51D6498F2A6C3F44168D98BA5BC58
                                                                                                  SHA-256:E8DDBB1ED8BE1094412B0621268EE218A1BDE5DD4CBDD22FB947D1620F58872E
                                                                                                  SHA-512:4F4C20A2D7A65C09219F45C8CAAA98BDE04AB71CD30DA8943F87293F9D3C38662DFB3769CE30A264740EC22BF9B33E1148D9B88E72DE55B887F32B0B94F553A7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{*..........." .....X................................................................`...@......@............... ..................................t...8........b...(......T.......T...........................................................x...H............text....W.......X.................. ..`.data........p.......Z..............@....reloc..T............`..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Process.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):290464
                                                                                                  Entropy (8bit):6.685216167852544
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:I57mVQTeyklUtrYxgjucNxs9b3NX1PkxAqRS7s03JFRlM:I5iVQTrklUSGjucNjmi03JFRlM
                                                                                                  MD5:DC2D85A8707588E1040BF052978CA3CC
                                                                                                  SHA1:CC19AF78C206F42CCCEE192BEE5ED854B5601869
                                                                                                  SHA-256:423E9CB7C654E1275AF06574E0ECCF600ADD68D35F7A9535DE7C29586A72B977
                                                                                                  SHA-512:EBA9BA51D5CD0CD89B3A4B1A1068A2F6DE1C5307FA6559CCA40B918A666D2A4C5DC592BAD2992C8D1035575F76C0FC3F74BD086600A33ACBCBEDE238E840AA16
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........P...............................................p............`...@......@............... ..................................D....m...!...F...(...`......0&..T...........................................................H...H............text...z........................... ..`.data....H.......J..................@....reloc.......`.......@..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.StackTrace.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):36512
                                                                                                  Entropy (8bit):6.53012806262516
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:H9jY/q6ejoniqkwx38n9Is/C4STsssssssssiFClkmoQ9zpI:HhY/q6ejoniqjx38n9Ij4SFikmVzpI
                                                                                                  MD5:4638B0B06EC5F853D3106C3E793ECE1B
                                                                                                  SHA1:D84B90F77DF24BE65B2692B5A6E68B4A934A6CB3
                                                                                                  SHA-256:9D25EBA962800F6D7690E51E8BCAFE421FE356B3E295D1EC68DDA7924C079423
                                                                                                  SHA-512:8C47A0B2DCCCF797CA00467398DA2645CE99B4B08487BC5100A5B7F875CC737392AE2DD69A57C2532A7AA25AF12B7881F9DEE211AA96EA2520D2D49568905496
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....Z..........................................................M.....`...@......@............... ...............................................f...(..............T...............................................................H............text....X.......Z.................. ..`.data...~....p.......\..............@....reloc...............d..............@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...T.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...S.t.a.c.k.T.r.a.c.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...d.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60576
                                                                                                  Entropy (8bit):6.5394690812701635
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:tqvGQZQFio5Dp/YLOzpngBsUb+CSNI8QUQXECID5FH0yFeO+FClJW29zh:tPFT5DpQizNpI8GvIJitiYCzh
                                                                                                  MD5:AA215480CCC3324B83FB2ADD6E4856BF
                                                                                                  SHA1:774277C64E0CDAF14424081D548B2D3F2B5F7A51
                                                                                                  SHA-256:900E8474DE5C8EBE1CE4FABDBE19C1145C429D89C2F2C4F7925849767FC3EF28
                                                                                                  SHA-512:537F08CEC9AB09A325D8374D776E8E682C80013BD8DE5F3B505826845607D61159FED887336716F1F53F054AFEFC092991E8D5FDB7E9547AB88945E11874A73E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................`.....`...@......@............... ..................................4....'..8........(......$.......T...........................................................8...H............text............................... ..`.data...7...........................@....reloc..$...........................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...n.+...C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.e.x.t.W.r.i.t.e.r.T.r.a.c.e.L.i.s.t.e.n.e.r.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...~.+...F.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tools.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16048
                                                                                                  Entropy (8bit):6.692349952151225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:tVTAaxxe2pWQhUW0WxNzx95jmHnhWgN7aIWNxeKIjwX01k9z3A8N6Xr:3cA82pWQhUWbX6HRN723HR9z76
                                                                                                  MD5:D6FE11D82ABE3B49A423C948AFE918AA
                                                                                                  SHA1:A00BF039CA892A3802C3BC53F5886F5D6CF77DAA
                                                                                                  SHA-256:B25E831533A50791B90C1DD448703E88E36F3957BC2C9F40850A8BB051B5FCBB
                                                                                                  SHA-512:3CC0A47C684D07260D430FC61C5924DC0452A14401DDC5E9547FFEBC9DD0F92AE055FDB1C5CCCF16F9EA5513D85C9F1A8A5B2FD991995EAA1D2A0E07DDDA50ED
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....K..........."!..0..............*... ........@.. ....................................`..................................)..K....@...................(...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..L...................P .......................................`...a..*Ir.5Lk\3zQX'.5+.lt...h...6<R.....^.&l.........]KyZ....A....D.....g..0J.W.x1B.8.#LO...BaS...q..?c..pj.).../P4..G7BSJB............v4.0.30319......`.......#~..H...H...#Strings............#GUID...........#Blob......................3......................................Z.........s.........................,.....w...N.....F.....0.~...!.~.....~.....~.....~.....~.....~.....~.....~.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.TraceSource.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):133296
                                                                                                  Entropy (8bit):6.547997172170634
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:8qjAVA3Uak7lkcUpI1dsMvj2OE20esM9eVmiqRIL8OXmty6nzufWrzhK6:8BV7agh3sMaj2SM9eVmiT2ty6zSs06
                                                                                                  MD5:51D99AE932F81F3155A5F410249FA4ED
                                                                                                  SHA1:A6AE36D863E6E4A0476ED5B8756D4AFA03C6468D
                                                                                                  SHA-256:57B710D6EE5585086F4438B864B5BED4738E9F451F21479D785BDF34781C9E76
                                                                                                  SHA-512:2F147F7188CEB538125B38E427FD01E9FA957041C45C8C34ABCD9093BB6D8479B6412A13DF09CA9256D6CCD75240EF409AC3A2B5CC7E76E6157F24D044AC5F7C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ......................................L@...........(..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...D.i.a.g.n.o.s.t.i.c.s...T.r.a.c.e.S.o.u.r.c.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Diagnostics.Tracing.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16664
                                                                                                  Entropy (8bit):6.7213791223858825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:hG5g6pDj+y1xxdPWbcDWGWHtWxNzx95jmHnhWgN7acWZkwKUWX01k9z3A/bUfw:h2+y/3PWbcDW7HuX6HRN7YF2R9zEr
                                                                                                  MD5:BAE1EC3B6C385527836D2AB828A0BE1A
                                                                                                  SHA1:733BD04B4DF39E38F075FBE75B15AFBCAF5117EE
                                                                                                  SHA-256:B1A8899251AAE44D312C44D9FCC8467EED7F112E6812C05A1EB30D3726ABE81C
                                                                                                  SHA-512:C6C6CCC8A9680D0AF897508463F9FC15564EE51E46C34699B907359109C14390A27C56FE39542A48AA943579A893625737C43EA9BD216594FA7FE824408262D5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... ..........."!..0.............>-... ........@.. ..............................U.....`..................................,..S....@...................)...`......0,..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ -......H........ ..`...................P ....................................../.Z(...tIJ.S.v...j..9+..-.....S..Hp.Q....C...b?w...}ea!...Z.S....i.%.x.8}GaM..8tP.......D#a.Q.01.....D.A........~..t#5.......BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3................................ .....................].........................................m.....q.....D...........P...........*...............................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):130208
                                                                                                  Entropy (8bit):6.376283707070365
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:z9PHfhY6c2ZPg52Hzvagb4xfHIKHnT6IdIWDkHLYlN0:hPHfDayzKHm+qYK
                                                                                                  MD5:F2B90E6B99089BF12AC1B2BC39658CF7
                                                                                                  SHA1:5CC0CBC44A27948C192B3F9E33341443DFCA28AD
                                                                                                  SHA-256:AB1B5EBF7F85E57A074F61A01B63333CB19D0DD5765645C38F6DF906556C1059
                                                                                                  SHA-512:CD07322A7098A8EDEDC1B8FF28A0B1D38A7992BA8534781975B883528DF64B9CA11EC027E5FC9535E7FD243EF487F6041920ABB46B8E9042604B123CE7A17F67
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....E..........." ................................................................C.....`...@......@............... ..................................8....0...........(......,.......T...........................................................8...H............text...f........................... ..`.data...f...........................@....reloc..,...........................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Drawing.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21256
                                                                                                  Entropy (8bit):6.402835622696235
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:zgyLzP7uC8sYITet5P9KbxWxutWEcYA6VFHRN7V6mcTR9zi2eiXrkd:zgy7CCKFClcrV9zpeiXrkd
                                                                                                  MD5:0F96953D2C97BD849375D7989365F1A9
                                                                                                  SHA1:F5CC786D19947FCBBC4FB34D06D8AE2466A2EB08
                                                                                                  SHA-256:8FC1D7782F015D6803C640E4F04EEB2B18468D773630B6A0F6FCF09B298FF11B
                                                                                                  SHA-512:956E384850295A60C6D838DE285C0ACC31D974F0B451B6CDFCFAFDDE6BDB33613F17E5D30A341A18B8F14A3B5C918D8EC96EAAAF48CF8BB967CC6773F6834DC3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u............." ..0.. ...........>... ...@....... ....................................`.................................}>..O....@..X............*...)...`.......=..T............................................ ............... ..H............text........ ... .................. ..`.rsrc...X....@......."..............@..@.reloc.......`.......(..............@..B.................>......H.......P ......................(=......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID.......H...#Blob............T.........3..................................................................m...........#...............d.....x...........W...................................;.....~.[.......................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V...y.V.....V. ...V.....V...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Dynamic.Runtime.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16648
                                                                                                  Entropy (8bit):6.685942816560535
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:wGM51jjMWsXCW/YA6VFHRN7H0KGrYVXC4deR9zVjox78:Y16zFClHbGrYVXC4dC9zVjG78
                                                                                                  MD5:8CFBFA7AFD85136DA94F5832D94AC9AE
                                                                                                  SHA1:89FEF34116578257A8D700FD83BE859B3199707F
                                                                                                  SHA-256:F495B72459FBD399EAFAB35072DD2ADA3466C8B61FF09D5A4F6DC4B46F61F0B2
                                                                                                  SHA-512:948D3D1B081026F14C8EA1F21602D0B257B72ADB55B8F7ED5E4165FEB3D081C1380FC88053CED5C95ECFF68EC85ED9506330EC1B88DE44F175E20575606BA78A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............,... ........@.. ....................................`.................................\,..O....@...................)...`.......+..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........ ......................P ........................................e.,..}V...xO.Z...k_.ppb.....8 .6v.?X.......J..*z...:.d.SM....;y..%.t.9...z\z.Ea.R.C....k..]=.S|.....k.g<T..&.@.dS'.BSJB............v4.0.30319......`...P...#~..........#Strings....0.......#GUID...@.......#Blob......................3......................................>.........W...............................Y...9.r...j.r.....r.....r.....r.....r.....r...w.r.....r...........#.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Formats.Asn1.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):200352
                                                                                                  Entropy (8bit):6.675634999876197
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:cf15GMge2PRUqDcbSjp74Cmwqv9Rcgff3Fu:cfLxgeyRUAcbSjp74Cmw2vFu
                                                                                                  MD5:13DF3EE8621AFC18530ED425CED9CD6C
                                                                                                  SHA1:BE9C951D0C2159754BA172A680916A628F91EFB6
                                                                                                  SHA-256:5AEEE4C52011AF8A5502484C991205985DF529F9F1EE53F9D0EA9FFA53FD13AA
                                                                                                  SHA-512:C39E246CA4E4D347F92C82DFE75AF8FA1756A869A08FF97B5116C33A6D0138383D7CCE1C50B9B211E1869CDEA53DAF38BE98838B0FD48C0F956AB7971EBACC75
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...f............." .........(......................................................c.....`...@......@............... ......................................XO...........(........... ..T...............................................................H............text............................... ..`.data...1".......$..................@....reloc..............................@..B............................................0...........................H.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...j.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .c.l.a.s.s.e.s. .t.h.a.t. .c.a.n. .r.e.a.d. .a.n.d. .w.r.i.t.e. .t.h.e. .A.S.N...1. .B.E.R.,. .C.E.R.,. .a.n.d. .D.E.R. .d.a.t.a. .f.o.r.m.a.t.s...........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Calendars.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16136
                                                                                                  Entropy (8bit):6.8006872328458625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Baq7iRqXWDRq4mRqm0Rq7WWYA6VFHRN7DzPtcTR9zi2e8P:R8qKqbqmuqdFClOV9zpeM
                                                                                                  MD5:27C42A08E6C20635141FEC62802D5B95
                                                                                                  SHA1:7AE669484842D4D65AE076DDA8B660BE9AB2282A
                                                                                                  SHA-256:9896AD79F4528FE1D08E0CB3027127980FA71F8E4F82DE8916BE526157761387
                                                                                                  SHA-512:34DBC0056467F5F8218DC0BFB0030D113ECB8F6A9CB27852DB650165BC5FBC2DDF7E88679F273DB09AD3D050799BF348A322EEC0421642C46FEAA2453B0BD9D2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>............."!..0..............+... ........@.. ...............................0....`..................................+..W....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................Cx.%*..>...m.......8.e.....Wj..X ....m.wy5.7.s.].dd(!..).....Q..At.I...j*..L.7.9..4I5..l.W....7..*.....q;..M,f....... GBSJB............v4.0.30319......`.......#~......$...#Strings....0.......#GUID...@.......#Blob......................3................................................"...........;...........f.......,.................H...!.H.....H...[.H.....H.....H.....H...B.H...O.H...v.............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15624
                                                                                                  Entropy (8bit):6.828542855579913
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Dl8RPWYRgpRp0RjWYYA6VFHRN7htZ2R9zEZt:D4NApu7FClDZK9z6t
                                                                                                  MD5:E5A6FAA55C56E33AA488D92E489598DD
                                                                                                  SHA1:B100EA405A6AA4C5373B6D812F66CC8F53B38B06
                                                                                                  SHA-256:D32ACB153BFB96C7BF36049CFA1FCBD89E27EFB53100C8C41D476ACF7D9F17AD
                                                                                                  SHA-512:621F24A2695D341BC48746099E41EDBC4143F6F810752551DE85C16F3155484050563751C2F1E55D876C138366B1AFF7A196117D845E6383CF60CF2B5B8777B7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ...............................t....`.................................h)..S....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................o..(........>..h.'.......X.B.qy.m.h..u...}.......E..5..p"G._ .wP3L.P.B.*f..1.;.ef.(A9u...........*`h<3.....%..my..f.L....=.BSJB............v4.0.30319......`.......#~..@.......#Strings....$.......#GUID...4.......#Blob......................3..................................................P.....P...3.=...p.....^.....a.......%.....%...w.%.....%.....%...w.%.....%.....%...G.%...I.P.................7.....

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Globalization.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.72406198525283
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:3mQ1AcRLWdRMERA0RHWzYA6VFHRN7FHR9z7t:3mQ1n0xAuMFCl/9zh
                                                                                                  MD5:05B81283F6495E06FF0AB4943B2343AE
                                                                                                  SHA1:E10D7BF018AE90BA1E53B86CBC808F9CF642C68C
                                                                                                  SHA-256:5CD5D885529923A1E4E9680E0C02EC504CF5C9B2375337427B57B20F731CE55D
                                                                                                  SHA-512:DB50326EC32CC9FBD3262CE8C004611CDBDCC03D54053FFF0DF0D7B165C13D45F1EFC89749040AA4E01AC4DDE503C26870ADE3D9D1322316849856693245E354
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............+... ........@.. ...............................'....`..................................*..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P ......................................."./k....!'e..%..7?.:......-g..nL...^c.b...od%Q...3.L.2N.k...o...mi.....IQ.^.P.4+.n..X.f.C..&..ee3.....f~...;..,..)..Q.QBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................).........3.K.....K...L.....k.....w.......B.....,.....,.....^...2.^.....^...l.^.....^.....^.....^...S.^...`.^.....K...........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Brotli.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72864
                                                                                                  Entropy (8bit):6.524372551005852
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:OtCcjcm7Q5dSOyXb23QCQrEp8J0Bi1yz3:Opcm85zyXb236roBeyj
                                                                                                  MD5:EC5EE4618509CD0B01447CCF1960DBE8
                                                                                                  SHA1:6D84D712271CB213334E1F0ACFE67BE20D41DB09
                                                                                                  SHA-256:F90FD1D4986B7ACA57D92A8F069BB4D52CDC9862333099B0403FBA661D6CEFB2
                                                                                                  SHA-512:C2A710E0A293BA990FDB7B1139A7B15976D93C4E12B1A14A3C24DC986B136E3AAB2D316F0846EE0FC9E67E7E57C446E7A58152B099797EB3AB9A92E13DFFEBC0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....ha..........." ......................................................... ............`...@......@............... ..................................P...D)...........(......l.......T...........................................................P...H............text...D........................... ..`.data...............................@....reloc..l...........................@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.FileSystem.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16136
                                                                                                  Entropy (8bit):6.721333411401923
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:OP/3aWu7mW9YA6VFHRN7iYahJpR9zrjNl:OPvOFFCliYa7D9z3r
                                                                                                  MD5:6ED07B09003387E0A22CC8E4B7AF99FA
                                                                                                  SHA1:22797A9B68088050FCE4C5E11CC05C3EB94F4FA1
                                                                                                  SHA-256:0F5559C78DA1B4C5F851DE563E6B7C3411B20E0BC3427940FBCE71F647C7535B
                                                                                                  SHA-512:FE9F046FDE19ACF26E16C113FFD20A90B029CF9DF1C4BBEFE45766843AFB61ED8D6BA405DED837510D4D5F9902A10B0D96F8455D41E58CAB7A2614E3A11095CB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`>............" ..0..............*... ...@....... ....................................`.................................9*..O....@...................)...`......@)..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................m*......H.......P ..p....................(......................................BSJB............v4.0.30319......l.......#~..t... ...#Strings............#US.........#GUID...........#Blob............T.........3....................................................I...........k...................[...+.....7...................................i...........x...........Q.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.Native.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):826016
                                                                                                  Entropy (8bit):6.111858963772501
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:3JhYe83Gfyv7vrkasX8LZ6dA9NWYIAHhlyR8ZXTw05nmZfR83i:PYXv7vr5dx9IAniAmZfRYi
                                                                                                  MD5:05ADF6BF8E468B7A9D46E7748FDDAA8A
                                                                                                  SHA1:BB527A0E7ADB5BEF8DE1653F4A70B7F78247F792
                                                                                                  SHA-256:DBD97753727725C061E6F7258355D54E119098E973A064B8A983273B3B99F787
                                                                                                  SHA-512:B2EEA485C1684BC57F8E0E774B8C351C0B6A47C7DC65152BCD31E390B5EA58EC37B8F6CC70C3771F5AAEE6712F24586ACF746E38A5A3D0A0F184C6B7ACDA1A83
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*.ORn.!.n.!.n.!.g...b.!... .m.!.n. ./.!.<.$.q.!.<.%.d.!.<.".f.!...).@.!...!.o.!.....o.!...#.o.!.Richn.!.........PE..d...-.lf.........." ......................................................................`A.........................................V..<...<Y..x.......h....p.......r...(...........&..p...........................0'..8............................................text............................... ..`.rdata..._.......`..................@..@.data...,....`.......H..............@....pdata.......p.......L..............@..@_RDATA...............j..............@..@.rsrc...h............l..............@..@.reloc...............p..............@..B........................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.ZipFile.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):39584
                                                                                                  Entropy (8bit):6.504746734753008
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:hWPVIWfgE7XgHg1al2Yd5zDN2147XCIYUvsWIXpuJFH9CEUoGdqtHfSZGU05pu+V:4pwHf41MCUUjgsEUtcRpX5FClUmoQ9zi
                                                                                                  MD5:9C86F8E718CBC4CC1E17C865FD81EF29
                                                                                                  SHA1:266AD1DF8B2FC2DC483B44C108665420881FB240
                                                                                                  SHA-256:B906BA0E3641B75502DD60C4DE71F0CCBF13410E98C6AECF16ED93F6A4285CE3
                                                                                                  SHA-512:FA9B0CFC2CC9D04624769E0B5BFA2F6CBFC9C6518F41EA3FA589ABF492A65C6E412953E98B07C0ACF3A697B80F876C90A86B11EEF754F6FC77B2901DE209AE3C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...<4............" .....d...........................................................[....`...@......@............... ..................................P.......4....r...(..............T...........................................................P...H............text....b.......d.................. ..`.data...e............f..............@....reloc...............p..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Compression.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):267016
                                                                                                  Entropy (8bit):6.6826444234875275
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:uFkvaNssc18qR3na42neTHhI8HERQu4cI+NWlNRB1xqkUbwn+3GEF7plloN/VhKs:JF/5IeDhInRZWlbB1JI5XllOQuMKHP
                                                                                                  MD5:299CE3A886D186D6C6EE21EAD9F9F2F4
                                                                                                  SHA1:2C4819070B5B418C78E311DA99352C8ECBA1A580
                                                                                                  SHA-256:168DDAB678DE2E1B859B9CD38FBCA6148A3A0DC5DC3590A8D32DFCD94DD67B71
                                                                                                  SHA-512:E041719E949FA12E9653F566FAE6446E868CA53E1761F707469D419CDEBE32271251C476A954240A4A805F55E26CEBCCD222D7021C75C1643FFF9A1C3B06C14C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...B%............" .........>...........................................................`...@......@............... .................................. ....k..H........)......0....'..T........................................................... ...H............text...9........................... ..`.data....7.......8..................@....reloc..0...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.AccessControl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):93872
                                                                                                  Entropy (8bit):6.567261761569019
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:G2BXrcUty70kPhIYeXxs6+gvXYqFBtgvaNB1WXzhZ:G2BXrPwFI1o8NCi14P
                                                                                                  MD5:5D63BAFA51DACFBBFB72E18694CA9F6A
                                                                                                  SHA1:8B7E54FDDFED77D00A30F9E163BED9CA69D53CDD
                                                                                                  SHA-256:6133769F582546A29300BD4988B3CEF06F3C1A83E8F52C2A30C62EC358011EDE
                                                                                                  SHA-512:380CCD0BDFDA10F07D5121314208B8924716FCBD1A6C60DF5C536A4C0C70904C653BAFA3B58D1BC05C9B16FFA7FD30A9BEE8460E8DE0852FBFEA86558E645E7E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....C ..........." .....(...................................................p......X.....`...@......@............... ..................................t...T/.......F...(...`......H...T...........................................................x...H............text...w&.......(.................. ..`.data........@.......*..............@....reloc.......`.......B..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.DriveInfo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):42672
                                                                                                  Entropy (8bit):6.438920622890288
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:hWUHyWx5DVCHWl2Yd5zwNiCXKTmRIYfZKG46JdicX+zu6CVy1/8K/Y5ews+dLFSn:RNf/b36JwcXKLkK/Y71KWQkts89zg
                                                                                                  MD5:21B0D8D7603F786BA5FD1396304BE0FA
                                                                                                  SHA1:A63565EC1C9979A827960DB4CCD80B62F9EF3F8A
                                                                                                  SHA-256:F90B203B1133A025ADCDBB07966C6B6AB78DE1505A9AE582A56481D1EE873F9B
                                                                                                  SHA-512:9BB4615E370F449CAB01E8D5DA5A0AED806C3E7083AABF3C014E41ADDBC24A46730174E3EB9A8EAD0BC858B1A9295AFC9FBCB45471269AD9291F21941DB9CC63
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....p..........................................................8.....`...@......@............... ..................................\............~...(..............T...........................................................`...H............text....n.......p.................. ..`.data...s............r..............@....reloc...............|..............@..B............................................0.......................L.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........d.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...@.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15640
                                                                                                  Entropy (8bit):6.830284593719402
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ahYMx9YW/fqW6WKWxNzx95jmHnhWgN7acW4gYCx6RMySX01k9z3AHVKJ8RUJa9J7:an9YW/fqW/ZX6HRN7Hg8MR9zGVKr6V
                                                                                                  MD5:BD3CCEA3CAEA8234E219850EE8FD1B56
                                                                                                  SHA1:F4A17588CD90E475A521CCA5DAB7374FAB3250A9
                                                                                                  SHA-256:C86D4E039FD6BF65D1FA0783193A9ABE30E66C347A43C6163B881D46F3D87EFE
                                                                                                  SHA-512:71D87E0774C058CBEA08AB309288B596BD4597F68E9B521A0556E8EB8236BF02B2D17CD31E09033744653AE0D38F9F5A2805D0855528C2A51590BE91143DF1A0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ...................................`.................................`)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................V(.$.G.r..!}E2Us.x..o....F....I...J.yU..2..........2.S.d.|..+Vp&..\..y_.n.KQh.a.E..`.....ep..G.2Z.4.s3.._.z...j.vC#...BSJB............v4.0.30319......`.......#~..L.......#Strings............#GUID...,.......#Blob......................3................................................!.J.....J..._.7...j.......................E...........Z.......................A.....s.....u.J.................1.....

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.Watcher.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72368
                                                                                                  Entropy (8bit):6.5347936763696195
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:fHuxn2SjgTCcxduILBZIds7lgndSI0bWBYWMzlm5:fOx2Rld9lZz7lukI0baYvZ6
                                                                                                  MD5:160C8055B1230CECDB195BD6057BF3D6
                                                                                                  SHA1:1BE7BB10FD675CE1D979CC43386EB478BC677E5C
                                                                                                  SHA-256:B2D5F23950B2CFE9056624E6A1E6CB78FEDD1775F8E490B6F6D597FE6B9453BE
                                                                                                  SHA-512:9E606F7EB6B4A4AF5194ACD3443B23E2A178383826B49F16D544DDDD2E1BA5C3374DD0E6E6B765EBDC8EBFF47B2BB5580968532C4F29F2F4A4F0CBB6CA67D3F1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...K............." ......................................................... ............`...@......@............... ..................................P...d(...........(......p.......T...........................................................P...H............text............................... ..`.data...............................@....reloc..p...........................@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.FileSystem.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24344
                                                                                                  Entropy (8bit):6.355803501821008
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:D5aPWc+mFnJ85Zu+m2sqjd5z5nNkcf2LthQWy72WQX6HRN7D02R9zEeMG:4P7Fn8dPfVqAY6IWwK9zXt
                                                                                                  MD5:1E9BC95C5CE564B1FFA33FB4BAA3C82B
                                                                                                  SHA1:CF9F928BEF3268F27E88A50BDF468D6488C6A936
                                                                                                  SHA-256:008BF6401C475B5E85C15D0756F6E377EE2BCD742DB2667D7A502C9EEFFDD721
                                                                                                  SHA-512:4DE834DD2107D4A1411596056C71FD4E2022FE26FA379E70A0F78374D0C7DBAEF34F292493716029755126B567CCED04539277E71C17A29E92D0EC5ADB8630E4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..,..........NJ... ........@.. ....................................`..................................I..S....`...............6...)..........LI..8............................................ ............... ..H............text...T*... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................0J......H.......h?..............P .......>.....................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet....9.......PADPADP..7../...........S.t...p..T...3.2...0.J.M.*.=.0....bAA. .e......"....N..~..s...@].Sew.s.t.7.4...5.......x..........]..Q~........#n..'.<.+2]./...0...2.W.4...4>..5q..:...>(.3OL"PP^..V~..VV..eRaDf.3.f7..f..fj.Hpj.1.j..&u

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.IsolatedStorage.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):83616
                                                                                                  Entropy (8bit):6.495444697679031
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:BzPryEnJOCVHF9BR5sWApdNeK+M33e6Z3IVi+i8zQ+:BDnJOCVBR5sWApdNe433e6u4+zk+
                                                                                                  MD5:D7676E8A49066209E0FA8CA44E8B9407
                                                                                                  SHA1:D8595DB79E999D334216A785E07FB33940CEEE79
                                                                                                  SHA-256:A8E4E2CDFC6FAA5BA11945BD6212B81C9603D8EAE8C7BFC7C2722EFA2B58513F
                                                                                                  SHA-512:28549BC603E12A4F05A59B873A7E319E3A36E4E55436EDB6C117E21CAD0FC11F772B22BF399463BB8CABB9FC9A085FC924548455BBFDECC89EF034F07E70147A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....MX..........." .........................................................P............`...@......@............... ..................................8....,...........(...@..........T...........................................................8...H............text............................... ..`.data...}.... ......................@....reloc.......@......................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.MemoryMappedFiles.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69408
                                                                                                  Entropy (8bit):6.415564775018847
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Oel44fb3OrgQqy2gYSxycVFidrg0TwK9WWzjn:Oel13O2y2gYMXVAdrg0TwK9tHn
                                                                                                  MD5:B9F00468A42AEF4650D7DDDDA2B48A49
                                                                                                  SHA1:1B75047EE318C2C2596C74AAD1977CF1F17BF01F
                                                                                                  SHA-256:E9668809465731AEBE17CDAC847B1650896C65FB7934313ED075F9C331631E98
                                                                                                  SHA-512:C8F4CC2E4182EFE98B3AA25D6BBF0EA6BD9530EDE2D3F3BFC48387FF7A041A22B0C8969860B7161C92B88EBCE30BDF3B6F47EB5B675464E0C9C08847ED10D980
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....NP..........." ................................................................$.....`...@......@............... ..................................D...@%.......... )..............T...........................................................H...H............text............................... ..`.data...h...........................@....reloc..............................@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.AccessControl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16648
                                                                                                  Entropy (8bit):6.8039485559108055
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:sQ3WehWqW+oPWgYA6VFHRN7PVXC4deR9zVjoxpK:93WSgfFClPVXC4dC9zVjGY
                                                                                                  MD5:7C4C0AB06F827D12B5BB0609E34B881D
                                                                                                  SHA1:EDB76E9DF5E177D260AD8E5739375E00CD16C412
                                                                                                  SHA-256:058C76CDC0BE8AB0F583ACE5651F1CE1EE7D3D1178DBE2D03829A7D52723A2FF
                                                                                                  SHA-512:05AF881F2603C59539802A2CE86D6204BDE877860F3FADF302FCD60B96EC87026FE8379830BBBED7A7E7B8226BB8427B7101A6F49E509A1FB383FD8B54DC3168
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z............."!..0..............-... ........@.. ....................................`.................................4-..W....@..T................)...`......p,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B................p-......H........"..............P ......h"...........................................<linker>.. <assembly fullname="System.IO.Pipes.AccessControl" feature="System.Resources.UseSystemResourceKeys" featurevalue="true">.. System.Resources.UseSystemResourceKeys removes resource strings and instead uses the resource key as the exception message -->.. <resource name="FxResources.System.IO.Pipes.AccessControl.SR.resources" action="remove" />.. <type fullname="System.SR">..

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.Pipes.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):136352
                                                                                                  Entropy (8bit):6.501718336587814
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:igZr1fdLwfRDI76D+/PeCMk0eZeBClJk87+xL8a:fKM++/2U0EaxLx
                                                                                                  MD5:8C160837F5ABB45FC6D74EB314DC4E33
                                                                                                  SHA1:CEF2A93F9E2C12F6AAEE0E43923C9B3D9D701D23
                                                                                                  SHA-256:5C402A50C62ADF3BB0538F520CA2E8D56788B877020EA11A22B5A48072DF95A5
                                                                                                  SHA-512:CCB662F219CA181FE2C78286BF9F41121B8D89CBA4E632787C1E9F302D961D044127007DE0C503896C8EC9DCA7B9E4B85A8A56CF81D44CFCDAD122391200BDAA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...~.1..........." .........(............................................... ............`...@......@............... ......................................H;...........(..............T...............................................................H............text............................... ..`.data....".......$..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.UnmanagedMemoryStream.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15640
                                                                                                  Entropy (8bit):6.845221810436923
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:cZdi0aXwMxx03Wjz+WCWxNzx95jmHnhWgN7agWWOx6RMySX01k9z3AHVKJ8RS5un:gitwa+3Wjz+WRX6HRN7nVMR9zGVK4bT
                                                                                                  MD5:755EF43FE4AAB7CAE2C2DA7CE10A750A
                                                                                                  SHA1:423B058EFFF8908589BFF756320120AED1454B3C
                                                                                                  SHA-256:4170A7DB857A937751EA07AF981B7F31A43FCAA58240456F1789B5F812AD2E58
                                                                                                  SHA-512:468124870FF78D353D174E454C0221408B882F97A9D9C2DA5C14DAB36A6E48BC8F73C229F20E7250278B6B0B3CF628EF631EF220F7498C4694C4D0BA85CC8A63
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.D..........."!..0..............)... ........@.. ...............................G....`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................X}...zO........A9.>.i.(d.?U..)...$....+tw|....\....hX...r.....g.Ve.bO/....Y).p.....v)....h./...HABMc....gbb.k..g.h....+...y#BSJB............v4.0.30319......`.......#~..<.......#Strings....,.......#GUID...<.......#Blob......................3................................................,...........E...........p.......W.................^...+.^.....^...e.^.....^.....^.....^...L.^...Y.^.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.IO.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.6752554941051985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ldbn83FYyW20bWMYA6VFHRN7m2HR9z7YbG:/n4srFClx9zMG
                                                                                                  MD5:410EE7A35F9C5BB29AA397824BCE39D1
                                                                                                  SHA1:75792618F9940C7BF5DC052231945FC742D9A81A
                                                                                                  SHA-256:29BDE1A93C26C8EEB0EE4972F63D1D562541CD918F1868E691587C0B362ED1DB
                                                                                                  SHA-512:6A19E98CF43AEB70A4E1A2885875203F23A9C2B797A43748B840C2B43BB1C638EEF623C054C22D292B68683C44C2AD922B1700A0C642B0DD20E5FC91D4ADEFEC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?~5..........."!..0.............~*... ........@.. ...............................#....`.................................0*..K....@..(................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ..........................................q.=.h...G.].l.V,8...Y.E(..C....~..G..T....rKMO.4.....^0..QFA.>..N....F..xe../^.M.......).1....P...h..)....k....BSJB............v4.0.30319......`.......#~......8...#Strings....,.......#GUID...<.......#Blob......................3............................................................=.....).....h.....k...........#...........8.............................Q.....S.........................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Expressions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3857072
                                                                                                  Entropy (8bit):6.688440344738366
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:35JRCk40qWhSxCKB+GuuYKfM21hDPX7dRVLTeeYjGt553P77zbr7jrgrr+c9NHXd:JJRCUhSzBpzfl1mja52rr+uNHXU6
                                                                                                  MD5:03817413A12530268745BDCC91AAC707
                                                                                                  SHA1:351EA9C2B95D678A4CA38A650AB3D1315D4E1561
                                                                                                  SHA-256:96E479247C696952FDBCBBADE7F4883F4CC464499A403E0A5FF738D297829261
                                                                                                  SHA-512:333C29DB2E0E691531AD01BCB871B12D43FB2EE5AF78151ADE980A1D1211BE85FAB6F570BD93FD8A2146F62E5C3C46288DB13DF3D96B40193E469B9308C24BEA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...m.@..........." .....F4..j................................................:.....O);...`...@......@............... .......................................(........:..(...p:..b...w..T...............................................................H............text...(E4......F4................. ..`.data........`4......H4.............@....reloc...b...p:..d...N:.............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...E.x.p.r.e.s.s.i.o.n.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Parallel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):849056
                                                                                                  Entropy (8bit):6.794704230215764
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:+FeeO6ALy/iA4mQ72yamRPFs7AGiFpIO+tFKQRYSHqsXeUcWDaqTM9tFe9Qvg:ZmiAlQ72yhFwAZF+tkiVcWoHFemg
                                                                                                  MD5:5ADDED89B8001FFA882A96EA03EBEC21
                                                                                                  SHA1:E5BFCAB29D9E5485DF9DC1BA057505936A33815E
                                                                                                  SHA-256:A2664E1104C16FB6DBC0603242E0AF6F0D38AC24A0EF01ECAAAF7DE65C56FCF6
                                                                                                  SHA-512:8786241DE8DB8CD0720AD5DB2AF16DC8C45A45F7C1BACE8E0617D237F1B4965AC52E5B6ED2838DD1C7A9AB98B80F5F5EEBD8DAEE3D15F549036923D383CB34AB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...G ............" .....X...r......................................................7.....`...@......@............... ..........................................8p.......(......P...H...T...............................................................H............text....V.......X.................. ..`.data....X...p...Z...Z..............@....reloc..P...........................@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...P.a.r.a.l.l.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.Queryable.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):228512
                                                                                                  Entropy (8bit):6.511612190549698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:o60e3dNNnG64C2fNxE3SkRn5Hg49GqP2Y9d1:50eNjG6p4BKSiGqP2Y9r
                                                                                                  MD5:73C18427DA955DEAD09F5A4E6FAD1DA6
                                                                                                  SHA1:30B3F49B9945E775EA643B960B744CE418D9B282
                                                                                                  SHA-256:8700D3569EEF72DA62E12691FF0315C68EE52A1338E2DA0CF0B4DABE4DAEDF25
                                                                                                  SHA-512:5962B867BED237C785F15FE6344076E3FD5D87E5378DCF0EE26CD0B705819BF949089C5BEB0F3F158D6C5125B2B9073DE2B9F6B9738102A6EA4C53024F55490B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........z...............................................p......G.....`...@......@............... .......................................4.......T...(...`......h...T...............................................................H............text............................... ..`.data....n.......p..................@....reloc.......`.......J..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...D.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...Q.u.e.r.y.a.b.l.e...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...T.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Linq.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):537760
                                                                                                  Entropy (8bit):6.825314740819405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:mLv9rD97INzrSLW5iIEobS5lEPsypTcenKskBvYvvyejaQO02KuXlz8J1J4+PDx3:SFrZ7IA65iIET5mYIKsk8HQVUASxWzw
                                                                                                  MD5:C17BF3E01C0C6CDD92FA8F7A9C443A48
                                                                                                  SHA1:1C2C87C078F55FA89AEC4577D1E8767EFF4633EF
                                                                                                  SHA-256:393C29BB232D566B91AFE4C7D6294D54997A48D43901043A9B499D62EC3F014B
                                                                                                  SHA-512:9509A361B4FA345ECAC9CE0EF69026EDDF2054CEDCCC5C7D7100C4BE31DD02697521E665E91E05E6CCFB9D9A46BC521DCFA77F01220234B473DF5E6D133AB39E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...E............." .....`................................................... ......s.....`...@......@............... ..................................4...$...8F.......(..............T...........................................................8...H............text...._.......`.................. ..`.data.......p.......b..............@....reloc..............................@..B............................................0.......................$.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........<.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...0.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...@.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...L.i.n.q...>.....F.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Memory.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):173728
                                                                                                  Entropy (8bit):6.792861918315237
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:sKRVN4ab6HEuCKvSwOy6fM/vfovpPh/h/tmlIYrAoS1bUgM1ud:NP+GKjtGPh/hwlUoF1I
                                                                                                  MD5:B1B563F093EE1F4C05B3D0D9DF59BC05
                                                                                                  SHA1:AF1B3BC9BEE01FBF75759F17D57AF109F7FCABDA
                                                                                                  SHA-256:25F850EBE1D79A8DE785C29DAB88CC21417501186832D70FE68293993E2F6889
                                                                                                  SHA-512:25151F701606379FCD726C3B310EB52388E82943D1418467D9B23AEC48F00B43021E0BFEEC305F88778B0DDD9BB3C00FBF9CEB6F400317EE39072001925D6BFA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....P...,.......................................................H....`...@......@............... ..................................D...d<.......~...(..............T...........................................................H...H............text....N.......P.................. ..`.data....'...`...(...R..............@....reloc...............z..............@..B............................................0.......................4.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........L.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...(.....0.0.0.0.0.4.b.0...4.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...M.e.m.o.r.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...D.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...M.e.m.o.r.y...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):82208
                                                                                                  Entropy (8bit):6.572626025407632
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Kkm1ufOCUCV+/pNDCJ0gRlK03B5YjbwtHUfsCN7s6+gzWWzW:Kkm1DCUCV+hND8K0R5YjbwBCx+uhq
                                                                                                  MD5:6A08AEF4C00719F2E1642A90887C9A74
                                                                                                  SHA1:52903122F8643AB7D922560223D2472F890C4B1E
                                                                                                  SHA-256:95B052CC609C7F779C4A2C30461A81175573F4CB1B49506C7C3B29DF260D6D46
                                                                                                  SHA-512:223FAAB78C2E8BB6807DE872E82BCB0624D09B1992D7B274E22BA96E66F67132AF0C6F090196B1EE51AEBA25A83DD8EB72EA6C9A87F115A3DFD61AB371FBB890
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....G@..........." .........&...............................................@............`...@......@............... .......................................*.......... )...0......(...T...............................................................H............text............................... ..`.data....".......$..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....D...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .e.x.t.e.n.s.i.o.n. .m.e.t.h.o.d.s. .f.o.r. .S.y.s.t.e.m...N.e.t...H.t.t.p...H.t.t.p.C.l.i.e.n.t. .a.n.d. .S.y.s.t.e.m...N.e.t...H.t.t.p...H.t.t.p.C.o.n.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Http.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1807128
                                                                                                  Entropy (8bit):6.72398533519753
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:W2yyqByNNh+gDoiXDeR57e6AnUIVWUtQ+JSy6H7BWxkUvp:WYqcNDo+DeR57e66UIVWiRa7Oh
                                                                                                  MD5:503A05E956BCEDBB5E3FF1A6DAF2EA8D
                                                                                                  SHA1:F4E123ECCE83D4CC6E69304A8FA86D32577CC903
                                                                                                  SHA-256:C528A716B9BF682A7DDC56D69A55D71CE3C73CD113814C73988E376E2FCD64C2
                                                                                                  SHA-512:86BEA623426D2E79704C801B2535A48B46F7A38C6630A6F6C5E5211E6894784ECBA504BF91504902751A062051F530B4E65CF129584C1CA36A16C7308F9B5CED
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...`............." .....^................................................................`...@......@............... ......................................\t.......j...)...`..(....u..T...............................................................H............text....].......^.................. ..`.data........p.......`..............@....reloc..(....`.......L..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.HttpListener.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):639152
                                                                                                  Entropy (8bit):6.673308999442195
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:kskz/Mc4M2+yHm16kUt3p2YWjAp0FTRONXRdR9Rk3jQz9BLJq:kskH2E16KYWbIWkzjg
                                                                                                  MD5:0BD4CC6E18D3B09A80B3453BF35F36E7
                                                                                                  SHA1:7345C78FD49F71ABB6FACF5F20B65A3175459924
                                                                                                  SHA-256:EF574BE2C5237DD729950EE8817977C3160B217E27E16982AB2BDF8084DABBB6
                                                                                                  SHA-512:24C97828BF074D23124C4E34428A6E54B0E66B05EB73F4F4F28CDB1B4107716930144D3C2C2EA03190982C742989DCFE4DB2BEE65E0149E5EE519EE3E19FC759
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...q............" ......................................................................`...@......@............... ..................................,.......p;.......(...........3..T...........................................................0...H............text...>........................... ..`.data...............................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........4.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Mail.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):552096
                                                                                                  Entropy (8bit):6.681059761488281
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:Llpsa0qYPGZVwldB8dhpm20B2APiOLlbH5GPCWZFdYHa4s:Lli7big2joWafs
                                                                                                  MD5:2DB5CD9B802280171D198A4F374B8A3D
                                                                                                  SHA1:E16E86316C521B3E37C90FA409B9E30405CC7AAD
                                                                                                  SHA-256:42E4CAF90ADE0509F673AED417AC59900170063B2FB40F456EA910DEA16ECB7D
                                                                                                  SHA-512:861222A8BBF7A286D00CC2F99553BDE3B465789179FB1371663929B2591BB4392C73E37DBBEBFBD26B37EE27E8567ED197161DEC646B39DB8BAB1299CF0A0700
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....3..........." .........................................................`...........`...@......@............... ...........................................@...D...(...P..T...82..T...............................................................H............text...p........................... ..`.data...*z.......|..................@....reloc..T....P.......8..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NameResolution.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):101144
                                                                                                  Entropy (8bit):6.587604226793615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:rh+n8sz4LAbKisUGADWjhDC3UxyBKPGPxRI/mpiAJzSvXVdWbzk:rg84DWisUZDWj5CkxyBFfIOpiJvXVd4o
                                                                                                  MD5:50522A3577CBF4009749FFE4E12C8421
                                                                                                  SHA1:D7A60C11F73D9F5E96607FC054B0A2C21492960E
                                                                                                  SHA-256:CD22271A328C2DBEAA059E01A8323FDDD00ABF7342B17973E19F56E8A18C89D9
                                                                                                  SHA-512:7F1D35078C85FF4D72491A7817BAB435E66E0E5579B21D3FDC112405CA0D4F5BF22B3FC558D7123B526A33C2FBA2D8E9037B47AC589BFE92E6A83698EB148C25
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....8...(......................................................$.....`...@......@............... ..................................8...X2..(....b...)..........X...T...........................................................8...H............text....7.......8.................. ..`.data....#...P...$...:..............@....reloc...............^..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.NetworkInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):150688
                                                                                                  Entropy (8bit):6.572736787870477
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:L9UrQQVSd8IGazZOBzjG9LysLUYxPZLVXQ2VfxynL7D+1m4aKwN4:Kr/VwpGbzSLUY5Qna1NPT
                                                                                                  MD5:E22CE550763A5E1F7B972C9587C63109
                                                                                                  SHA1:81C44FC9CF5606B5FA01C33433448899E5B928EE
                                                                                                  SHA-256:05D32CCFFF26E886B935D25F59C175641B0E99302D54214D94C13498625C195F
                                                                                                  SHA-512:DE563EC654900EB5E8D20A368E05B9382F4FE069638B9D764D0E7FA19EEC47ED23F72DE532DE2ED44AA29738206285582169A51122B5ADB6A3FD4159B939CE28
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....,;..........." .........0...............................................P............`...@......@............... ..................................P...p;.......$...(...@..h...0...T...........................................................P...H............text............................... ..`.data...L*.......,..................@....reloc..h....@....... ..............@..B............................................0.......................@.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........X.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...4.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Ping.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):79008
                                                                                                  Entropy (8bit):6.583609106071422
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:hd1ARHHv3bN0loUSZMg4m5DK2SvKBpK5777ZizCzX:hnWHHvr1r48DKepKtZICr
                                                                                                  MD5:DC07916645E660B316164ECE2CBB7F0A
                                                                                                  SHA1:AEC0C20BC3EF771483693302FE9E486B856DEF5D
                                                                                                  SHA-256:7E7AF8FEEC2277071F35C54A287242AB2018FC301E708F566DBFEF5CE33D62E7
                                                                                                  SHA-512:F96AB0812E712F5F104A2DF7096AEC061F7ED32B56BE4FA768F54DD97E0C1FE8F38884E4A8E9514A3E895E88B4832F9270F1AAFA9457E6098C5F1DB16AA6EFCE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....>..........." .........................................................0.......E....`...@......@............... .......................................,..D........(... ......@...T...............................................................H............text............................... ..`.data...............................@....reloc....... ......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):214296
                                                                                                  Entropy (8bit):6.693940725784127
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:c78vFw00ic76OmsmwLE3daI1h7IrHX7T1sWkN6OME/64BWm1kv2us+6M6eURojZf:IeFw0j3xbzhcB+ZfwNH6eSojCrk
                                                                                                  MD5:07A07FDE9199A72D6309494874F8A54E
                                                                                                  SHA1:89F28AF32C7E8CB5770B1AAF4DD719F537501414
                                                                                                  SHA-256:BE9DDDFB7A9D42F5161AC689A3B64D85C8E75CE74889FFC4793E95A0CE63B000
                                                                                                  SHA-512:E261EFC035F559836272B9F2131A19CB956815C99EECD85AA38A52D2352DE925E108570EA38F6DAA48F67F87921C425A3907010F5925B65908AAE09605E8A093
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....x..........." .........:...............................................@......R.....`...@......@............... .................................. ...\V..<........)...0.. ....!..T........................................................... ...H............text............................... ..`.data....3.......4..................@....reloc.. ....0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Quic.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):293552
                                                                                                  Entropy (8bit):6.63463896794632
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:n1azi2C1DH+sio96LEpuLdXmRw6WSLrlneg/mY:jrSK6LEpuLdmRlnjV
                                                                                                  MD5:CD1D6086F5E7A6150E11795CE3C8152E
                                                                                                  SHA1:A20C6A066729879C2FFC8AF1432CFD6528E87221
                                                                                                  SHA-256:7B7DC503E0C4308ABCE79512C8D3C68390CA70CA5D2ADA8B3DFFC55044892CDB
                                                                                                  SHA-512:ACFE41CD92B68AA5DD9ED8F7D642A7796AE2685E71EC3892F369D22C027D376C9930D56D63044CF59BB5457EF5CD4EDB3F7627FD75C5480B52D0220DA88FE4A8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....5..........." .........n......................................................0M....`...@......@............... .......................................w..|....R...(...p......P&..T...............................................................H............text............................... ..`.data...Re.......f..................@....reloc.......p.......J..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Requests.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):349464
                                                                                                  Entropy (8bit):6.6253757788002785
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:jWirRJNtPryZAMJU8AuxsPOWe5G8eopuFOOn5:jhR7tjyxIugMU5
                                                                                                  MD5:C534BA827DBE97B1D568A8F76D31F63F
                                                                                                  SHA1:95A39F1F53EB7EC5AD6CA825D4922C9F842776C6
                                                                                                  SHA-256:BEE41B3EC358C6AB828167EBE88EA7FAACF4834B3DF7432C92FB758B2FB7CD14
                                                                                                  SHA-512:BA2E587FC901B6340123A06DC924B33D9EAA4B1EF3B5EABC5738C08D116E1AC16943DA2F927029500E5EF44575289641C02F50F0FCF7166ADF9DA8F7AC5B4DE7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .........p...............................................P.......0....`...@......@............... ..........................................*...,...)...@...... ,..T...............................................................H............text..._........................... ..`.data....g.......h..................@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Security.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):685344
                                                                                                  Entropy (8bit):6.824608271687778
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:Mi+V+ZiHKzLkQ6kMIUMpygx3NL3dvwCvHq3L/Zg4h:MimHKz1fMOM
                                                                                                  MD5:AA0FCB794B32BBBA9813D7FEBBFD32C5
                                                                                                  SHA1:4AA0AF3D611330CB14EFC72FE803F116150820C7
                                                                                                  SHA-256:673BFFFB75840767ED7EBAB2B5DC8AD9134AE03DB4DAE13525C34AD0259FA4DE
                                                                                                  SHA-512:2628BD7D9BAB6871E1196F9B1380FC1ACD4DDE445F9EECAF7EAB7D7913EE11FCADE1BBA6741D8F7D5E939043DD36CB79112EAB70C953D579D51E34C309A0520E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....k>..........." .........................................................p............`...@......@............... ...........................................<...L.. )...`..<...(-..T...............................................................H............text.............................. ..`.data...............................@....reloc..<....`.......@..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.ServicePoint.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):37024
                                                                                                  Entropy (8bit):6.496750745453374
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:nW+mFWAN7A98x33dWh8noYSWxRyOM9P3x8rI0vKnfrjRYFSlxgdg3a2myQJN29RV:8NKyM2y37WAD9wggLsgbjWFCl7ts89zA
                                                                                                  MD5:3301E5143564ED78720D0F03612F499A
                                                                                                  SHA1:FDC810CFC491FFF116B5F37DE1BEC78EE34598F8
                                                                                                  SHA-256:15798792F8BAAB0B1BFCBD8466C791A624A1796C6A9ABDF9F60771D6094E69B4
                                                                                                  SHA-512:E6BF1D68D3CB79ACFDE091350203B27B2D8148E3369A1A382EE727210D4A3F44818022F9244218D009B01BAA63580D12C05FCCE9F3DCD3077967A606C85D500D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....\................................................................`...@......@............... ..........................................`....h...(..........H...T...............................................................H............text...KZ.......\.................. ..`.data........p.......^..............@....reloc...............f..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...S.e.r.v.i.c.e.P.o.i.n.t...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.Sockets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):506528
                                                                                                  Entropy (8bit):6.740058323843262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:TZ7w8ky6SctjxnyBDtnTDiL1h10I+nzL9wRopG+t+dRk4p7C:TZ7GyJctjxyBDhizNoA+t+dRX7C
                                                                                                  MD5:BB51E0D392A7FD7D7507CD4BC14C476D
                                                                                                  SHA1:22882A4BFF03922C5D2CC202831103AC85E8E5D9
                                                                                                  SHA-256:1BFA1A6A66D84EF5966FBA95C19BCE5E9F8D5FE51939902B9730FB5897AF125C
                                                                                                  SHA-512:EC89187EF407EBBA2A3CA5E35A746919CB8446E47F698F75514B198A5AE35ACF454A0904A45463D843D1480290E372D1D3FE2B972B421DFA420EC53C02871E1F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...x............" .........~......................................................].....`...@......@............... ...................................... ....6.......(...........4..T...............................................................H............text............................... ..`.data....s...0...t..................@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebClient.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):166560
                                                                                                  Entropy (8bit):6.646097951171125
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Joi5C2iVJp9C2Mcz7qucR2iVY3qwJhliW3EMluskR2+8bICbOc:ai5C2sJrbMczOucR2lSskf8bIRc
                                                                                                  MD5:B060AEEE1F03574C9B567E1B7F2F4741
                                                                                                  SHA1:BBD28613E265B04047406B9149524DCC0B2CEA0A
                                                                                                  SHA-256:893512032A693DBA282A2C9A7A8D95A64D8099C267B62B868755FBB50A36AA5E
                                                                                                  SHA-512:5C3922E47AC5D24EE3B5BB8409D9AA0AFCFFA40F73A434ABAFB8AE7AFE42E06EABA3A81F79684F9BEC5589CA9F2CE09D67119D2C4BBFEA2819E8194360CEC130
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....K..........." ....."...>......................................................TM....`...@......@............... ......................................$L..p....b...(......x...P...T...............................................................H............text.... .......".................. ..`.data....6...@...8...$..............@....reloc..x............\..............@..B............................................0.......................t...,.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...h.....0.0.0.0.0.4.b.0...B.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...R.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebHeaderCollection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60704
                                                                                                  Entropy (8bit):6.534824454137025
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:jNfR5v+6SDbVXWTGEV3VulTTTTTTTTTTTTTTTTTTTTTTTTT0SWHzh:jH5KpXqGQ3VRSY9
                                                                                                  MD5:B1129490D0C33F7EA01D0366F8FEE431
                                                                                                  SHA1:B180A00E3A851C5E741D7ABAA58B1343FBAF839F
                                                                                                  SHA-256:6BA0F2C2C9FF2031956E15DFB376B19C54358CE3D3FE95BD1003EA026F908350
                                                                                                  SHA-512:980890ECF3D616629D5A9021CB6B5A3871A8E5948EF976D61EAF863C1856C933904517679E2F94E7E43E615174C8157570154A787CE1B6F7E6D26618A67E450E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....gR..........." ......................................................................`...@......@............... ......................................x".......... )..............T...............................................................H............text.............................. ..`.data...9...........................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.H.e.a.d.e.r.C.o.l.l.e.c.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebProxy.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):31904
                                                                                                  Entropy (8bit):6.54527100441263
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Q3WpNwWK3k/IKgZ3cZq2VUi6VGt1QWKlL/95a1NqOMUViKsYA6VFHRN7YBmo8R9f:QQqk/IdZx2Vd1HITUIKsFCl+moQ9zT
                                                                                                  MD5:BDD17CBF5A46DC3D656C2C730169A013
                                                                                                  SHA1:EE59429AEAC62F69EE4B13F79B2091847F5791B3
                                                                                                  SHA-256:AB719DBCC893F90B0FAC078E733707EA8B8B8457CD52D40D1CA60BCB1C0FF283
                                                                                                  SHA-512:4FBF49DD2E521C140828AABD69E90BB655E0ABC481A092966B64473D375A8B5A1E7038FF43B6E8310611D7812A6748772BCCA1AEC2DD818ED8134A6167B75F71
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....sd..........." .....H................................................................`...@......@............... ..................................t............T...(...p..........T...........................................................x...H............text..._F.......H.................. ..`.data...i....`.......J..............@....reloc.......p.......R..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...@.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...P.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...N.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.Client.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):76568
                                                                                                  Entropy (8bit):6.486879247180926
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:e855wMIHHZGtiwpdI3OJckDDjH49YLOXCvzlchIbIJQ4zUWdC4dezF5g:P5ynwtxpS3a5DDjY9YLNblchIMrUCIPg
                                                                                                  MD5:3EDC4F4238DD043E45438DA61B13EA20
                                                                                                  SHA1:6133535D352BC23A25D82BB91DEBB7314BF09D8D
                                                                                                  SHA-256:022911160CB8430C2BC61076EADE816B739B410A3C677775FAC1AABEC3EE6193
                                                                                                  SHA-512:908512481F730F93BC7AFC3352356B99040F0A2B34980475B7DEFE38BFA167EF62349D1CCBD8692460F63DB684413197F2EDD156DAB9E319812A2532F8ED6FE7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................0......R.....`...@......@............... ......................................8(...........)... ..........T...............................................................H............text...1........................... ..`.data...............................@....reloc....... ......................@..B............................................0...........................l.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...R.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...N.e.t...W.e.b.S.o.c.k.e.t.s...C.l.i.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...b.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.WebSockets.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):182040
                                                                                                  Entropy (8bit):6.636679003445195
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:MRYGqKe6VEqtNENTFsYz0UVUUAlTXRtnNzrepROMJwRuzTYZbQLmvhYst/Oo1BVQ:cqKJrWTSRzrijqu1mvh9tH1O/LR7hgS
                                                                                                  MD5:FB943368E3D0A8DDAF7FA61BCB5D17A7
                                                                                                  SHA1:41EACE094BE1DEDB08FA33AF0532CB3C965CCB94
                                                                                                  SHA-256:0761C0DD216C673BD2C195B3B5023DEC1A1EF1CC2CF7D6C4B7ACFE6D53D138F9
                                                                                                  SHA-512:C79F295C42DB420BF3E9E3344AA3431CD7A5556008709E2B62B32D22776BD5BCF95A8B397DBCB5EEBAA65C8F29DDE6C3341751579A88DF2283308C504B26685D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....;..........." .....d...8......................................................7.....`...@......@............... .................................. ....O..`........)..........P...T........................................................... ...H............text....b.......d.................. ..`.data....3.......4...f..............@....reloc..............................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........(.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18080
                                                                                                  Entropy (8bit):6.564696056239549
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:TV6EWw139N8HMWo9VaWVYA6VFHRN7YtQB6R9zqgSvK:TV6Er139hJFClXB29z6K
                                                                                                  MD5:C6E66B36C6BB32576CAB9AAA8BAFD3CA
                                                                                                  SHA1:E03AC51AC254F0C83177348ADB372DB7A7CC6F68
                                                                                                  SHA-256:3096786D4F35FAB8C7888739CE0685C19E90384CE2C84F0B4086F6AECD119FBF
                                                                                                  SHA-512:0CFDDABA675E81542837C54D49902346E59B2F3DFFA7654BB52DAECF5EB97CD67F13A8EA4F2BD402F49FC3D1B2356F29A2B9AF64ABB0925F1C4FC7196126CB36
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Net.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............2... ...@....... ....................................`.................................92..O....@..8................(...`......l1..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................m2......H.......P .......................0......................................BSJB............v4.0.30319......l...X...#~..........#Strings....D.......#US.H.......#GUID...X...D...#Blob............T.........3....................................6.................l...|.l.....Y...............M.......m.....m...c.m.....m.....m.....m...'.m.....m.....m...^.............n...5.l.................S.....S.....S...).S...1.S...9.S...A.S...I.S...Q.S...Y.S...a.S...i.S...q.S...y.S.....S. ...S.....S...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.Vectors.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.687048412668527
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:JrjAWaSBWvYA6VFHRN7AvxtHNsAR9z/qB:NlSFCl0ts89zM
                                                                                                  MD5:309039F112697E308D056D2158356900
                                                                                                  SHA1:189C30BF34796EEE0235E32B9BC700BEEF02F8D8
                                                                                                  SHA-256:64B6B0276153ED01CA5AB5F9025B77F0EB7B128DC70EF28772EA5F4908040982
                                                                                                  SHA-512:0E948DD2A3BF9AFA3A023EC11F9B084D8644F8992ACE329BA5C3F7272D70F98A09344E9BFEFB83581970250F558D86702FA7E55BF7DA4E80AF07C94D768772DC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0.............N*... ........@.. ..............................~.....`..................................)..W....@...................(...`......D)..8............................................ ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0*......H........ ..t...................P ........................................G..Umd.)..t..W.f..$:..$.!.#k..6....[......$.....a..Y.".+..7..*.ytc.s#./..3J..u._]0.....$!D..i..:.nI......'.#.r..?. l...BSJB............v4.0.30319......`...<...#~..........#Strings............#GUID...........#Blob......................3......................................D.........]...........v...................`...8.....0.......r...\.r.....r.....r.....r.....r.....r...}.r.....r...........6.....

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Numerics.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16136
                                                                                                  Entropy (8bit):6.697117344335608
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:oYav7sTWeuNWLupWjA6Kr4PFHnhWgN7acWssrSwKUWX01k9z3A/bsJtZv:8vATWeuNWLuYA6VFHRN742R9zEAXF
                                                                                                  MD5:9018AA6B91AA5DF3C88005096ED2CD7E
                                                                                                  SHA1:368E11B37E6A8BFBA84D6E467E4778CEB1337A07
                                                                                                  SHA-256:A526F157B4A51A1AD9B466486EC1093512E089DBCE9406CE68F2A277F01D4CA4
                                                                                                  SHA-512:BAA1ADC058D33E9500AE3C5C2E7E09967203833676B39B04B489B062C603C0D269531830DBB8AB174750A061606B0C4A98E7F5AE41C1B31AE5FAE2067FF965B5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jC..........." ..0..............*... ...@....... ..............................,.....`..................................*..O....@..X................)...`.......)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................<)......................................BSJB............v4.0.30319......l...|...#~......@...#Strings....(.......#US.,.......#GUID...<.......#Blob............T.........3..........................................0.........]...............................D...?.e...K.e.....e.....e...".e.....e.....e...}.e.....e...V...........e.............-...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ObjectModel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):91296
                                                                                                  Entropy (8bit):6.552192386026593
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:h8ks3VsIlDmkz8gMnOQcdD1JqS4iA9mVzz:hPmVsILfD1J8neP
                                                                                                  MD5:521CF966B382E1EB5D9D01428228DAFF
                                                                                                  SHA1:EF28980F7AE17D97A3A75DD71BB7EF0C3ED27735
                                                                                                  SHA-256:73591E15ECBFA321B9F465F9456570CDE89DEE15D124151FD19757DFC8AD8467
                                                                                                  SHA-512:254181F918F52F1D1F78345D63BF25C048586342025A7667F123A15AD82C5631B1EE8665C6678C98B2D53D81486EC0ED972C893BB0F5EC071D147B98E5AE0B93
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....R..........." ..... ...................................................`.......M....`...@......@............... ..................................t....).......<...(...P..........T...........................................................x...H............text............ .................. ..`.data...H....0......."..............@....reloc.......P.......:..............@..B............................................0.......................d.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........|.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...X.....0.0.0.0.0.4.b.0...>.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...O.b.j.e.c.t.M.o.d.e.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...N.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...O.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.CoreLib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10637576
                                                                                                  Entropy (8bit):6.834783559373698
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:xKMweeI2ZQsU+fRIwvUVvJS63bXqPrLAU4n/0v4/PyGvjt:mC2SsU+fRI/VvJSyXiOyGvp
                                                                                                  MD5:7C5ED0C3E2AB441A064D45FA52283271
                                                                                                  SHA1:505A8AE8540487C3A13A29EB48512D07F0D3BD28
                                                                                                  SHA-256:B2F486B07E0EC96526CEDB244C6EE71F3FB41DFFE71DEE7DFB03F7D3E2731C3A
                                                                                                  SHA-512:EB2B02F4C4B1FA2F2D885CCA0B1C05D060EFBB5D14FB69828DAA29C9F0E02FA9C045AAF463F9DE180FC8B1DEFE249D52DDBDC342896EF85517946CA1C31D2E58
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..."G............" .........F...............................................P.......z....`...@......@............... ......................................d........(...).....|r......T...............................................................H............text.............................. ..`.data.............................@....reloc..|r......t..................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...C.o.r.e.L.i.b.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.DataContractSerialization.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2077472
                                                                                                  Entropy (8bit):6.72870931628793
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:SjARoZ/R3NMBSsdt1VRDBaC3Eu4cu+SqsVDFWStODPPLn2DLDbme:CuUZFPbme
                                                                                                  MD5:3F837ADD0F62A2999E2FC22AEEF45587
                                                                                                  SHA1:74008D3205279C03EFBE6517FAF6C1FB35F3A3D7
                                                                                                  SHA-256:94338A56AE23EBA25980E2290DF1C7084F999385DE40455D6D7079E4F04A252D
                                                                                                  SHA-512:B1615F323FDA3B0BB9B31AEC5BDA50ACB6AA0758C7DDCB5F5E0611BD814DD0E9B0A02493A0EB04A8E88F35C88384E048C032D82A775E83E4593F455860BF3C2C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................., ...`...@......@............... ..................................H...._..8....... )......,!..P...p...........................................................H...H............text...!........................... ..`.data...s|.......~..................@....reloc..,!......."...h..............@..B............................................0.......................8.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........P.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...,.....0.0.0.0.0.4.b.0...j.)...C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...D.a.t.a.C.o.n.t.r.a.c.t.S.e.r.i.a.l.i.z.a.t.i.o.n.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...z.)...F.i.l.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Uri.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):252576
                                                                                                  Entropy (8bit):6.802013587081938
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:yp8ZfzHkVNCVweEiMw8lDw3ccZejsMMNt:yY7EVNveRqlDQccQjsRNt
                                                                                                  MD5:1F2700BAD871C050F72716C0CAFF7458
                                                                                                  SHA1:B2998EA702ADF8EE08494E33D89EE03816BB74E7
                                                                                                  SHA-256:9DEDF16199CD1080BB1E13698DC8CE32F2812C793B08454BC90B73A9035E4943
                                                                                                  SHA-512:99C9BC15B2CA677A5A6C963C81AF4B20E6D2128C0A117C3D6D23C6FBBB0A2616704682A61AEF7F9C5CE350114DC9669F993495D0F940B2115025D63318DD72C6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...$a7..........." .........&......................................................2.....`...@......@............... ..................................8....V...........(..............T...........................................................8...H............text...S........................... ..`.data.... ......."..................@....reloc..............................@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.Linq.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):405272
                                                                                                  Entropy (8bit):6.713111186922785
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:03P9cNr3NWeN35BpICdwtH/lKPmSZpcHMp3/:03uNr9WG1itH/G1ZpcHe
                                                                                                  MD5:1EBEFB503EB38EF1D4A87FE02DC730AA
                                                                                                  SHA1:CA95A54B131CD0E6F8CD0606068C1902F5631B6F
                                                                                                  SHA-256:0B015273A1AC4FE3C25A248E91ABD4D10C76D70242C1DCAE45EA2BD9402B46D1
                                                                                                  SHA-512:DC311F78C2E91C22B9921E6B11D6B2CCDB285E22ADC8A35071BFF4C6461C218A0C6F151256A88359DE0C1DD8D142FA6FF6174D5CE8E7B0A93634EE90F48F71C4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...5.N..........." .........j...............................................0.......[....`...@......@............... ......................................L....0.......)... ......0+..T...............................................................H............text...B........................... ..`.data...O`.......b..................@....reloc....... ......................@..B............................................0...........................`.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...P.r.i.v.a.t.e...X.m.l...L.i.n.q...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Private.Xml.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8505608
                                                                                                  Entropy (8bit):6.821394087878173
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:04wrkcWo4NZeOfTZy0TaFqZlHX/UEewQbFo:RcGNZ1fTZFYQPjenb+
                                                                                                  MD5:43EC26D02606E233E8B10785D7B8B40C
                                                                                                  SHA1:478404CC0542C7B7DB249B9913CD1094D0A072D7
                                                                                                  SHA-256:11911797EA424D8103033A2D1D3D7352D92A7ADBF7297F91BDAD1D7918CDA122
                                                                                                  SHA-512:4859DBDD96AB539BB0929B3829110FABCF4D5DBEFA22729671E488258992CFA91B5BCF4BFCF1D3EA00CA78C4A19FEA7924F4862A3EFDA392FFD80B4033AA81E8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....u............" ......|..........................................................a....`...@......@............... ..................................8...<...8R.......)...`..X_......T...........................................................8...H............text.....|.......|................. ..`.data...8"...0|..$....|.............@....reloc..X_...`...`...@..............@..B............................................0.......................(.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z..........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........@.....S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.DispatchProxy.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):66208
                                                                                                  Entropy (8bit):6.5748535239611074
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:zlGq66P0kymbnA0be+s8cu5BimUxbIuKmCinzk:zlx6URymbAiy8Bimx9mCIo
                                                                                                  MD5:9795FA4479E874973EBC95DB710F5AE7
                                                                                                  SHA1:710B8C7503ABC1DEEB1ABFEAD100043EA8E84CC1
                                                                                                  SHA-256:F20CADA99D1CCEE74B82670E3987372EADBC3DA3F87BA5AFD4203262E79463C9
                                                                                                  SHA-512:9D55902EB4E3C91BEC6264BA6B8BAECCF27D04136CFE6A2854A1AC9B4795F418D22FB8C2B120709AFE3610FF67C6328EEBE80A288F1CE127BDB8C840056575FD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....:-..........." ......................................................................`...@......@............... .......................................%...........(......0.......T...............................................................H............text............................... ..`.data...............................@....reloc..0...........................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...D.i.s.p.a.t.c.h.P.r.o.x.y...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.ILGeneration.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.718453492542051
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:umLIkWVhUW3YA6VFHRN7TV/6fR9z+Arlutl+P:RL6JFCli9zhrlutlU
                                                                                                  MD5:33BB83C0329A3AA6508C3107B69BCB3F
                                                                                                  SHA1:CCF12D70AD543047A3B1B5C4AD6B9E9D146E3E93
                                                                                                  SHA-256:946DC1A1F9C330FC997ACD483DBAE7526850E36DBDB7BDCEC9AB641EC88F6177
                                                                                                  SHA-512:9ACCEBFB3E264AF66739D80966C49283DB1312ABA6E322C928F34FD946A304E18BEEDC94BD1D1222DAED8E82643C7E253CDF495FC5F835D1D5AAE8D78B6A0F0C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L............"!..0.............n*... ........@.. ....................................`..................................*..S....@...................(...`......P)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ......................................{B.+k.Z.....6A+7{&....[.u.o^c....@.`.2..Z.....-u.Y....^?..I...e}..[J..........{.TQ.m.......`.N1.x.4..PI\..Y2\G.S......H.jBSJB............v4.0.30319......`.......#~..t...D...#Strings............#GUID...........#Blob......................3................................................"...........;...........f.......7.................b...!.b.....b...[.b.....b.....b.....b...B.b...O.b...v.............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.Lightweight.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16152
                                                                                                  Entropy (8bit):6.716289561025598
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:pBAHj3OWxuVJWcX6HRN7L8h9R9zmwjSiD:+UZW4J9zLjSiD
                                                                                                  MD5:3BD0D0B84763138671CFDAAF0E86F9AF
                                                                                                  SHA1:40464810F0AA8A41FC29726B67D10C5A88566449
                                                                                                  SHA-256:287456D6B98567E5B329B69E533EC9B1D41AD9B5572913261A20004CECD8C594
                                                                                                  SHA-512:B7D55DCF369A632670023D92B4E07A931B1B0D5F341D7DD4300D8C3791C994ECE146B64DB442B4C72E1E418D281B92315BB386AF9C23CF145B653189E35C55B0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ..............................6.....`..................................)..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................Q..._R...6%......l.f......l.......=..E...v.x."...HtD..@t.l%....$&.R......K.U+...sK>.0....qI.....>.y...p..woxT.m...."B..BSJB............v4.0.30319......`.......#~..H.......#Strings....P.......#GUID...`.......#Blob......................3................................................2...........K.m.........v.......@.................G...1.G.....G...k.G.....G.....G.....G...R.G..._.G.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Emit.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.7217086921406155
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:dlxqu8LLLW6MCRW/3YA6VFHRN7Sq//Bmo8R9zMLgod:Mua2FClVRmoQ9zU
                                                                                                  MD5:E148929B3AB3CA72254029548EABF64E
                                                                                                  SHA1:F26F7E2EAB2DC37DD5E3E264281A3F2E473C8B87
                                                                                                  SHA-256:5BC03566BE47D7C6EF6FC512B1A1665567E3F73A1BAB828263230E932EA4B596
                                                                                                  SHA-512:74E5645CA885543CDF7FB589647F2C75FC58C6325D613C8DBFBAA2A145E96B64353358D3691DAE454FBDCD43E4ED42DD187791227EF81A736BD0FF940E441A7D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ...............................p....`.................................d*..W....@...................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ......................P ......................................E...B.....P...oM.rXh.0C.....pX>.-..2........t..C+T^..j..iu..I-.W...{>....~H;...Y.......|...:S....w8..D../.WK?..NUdC.9$BSJB............v4.0.30319......`...X...#~......p...#Strings....(.......#GUID...8.......#Blob......................3................................................"...........;.....2.....f.......$.................+...!.+.....+...[.+.....+.....+.....+...B.+...O.+...v.............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15648
                                                                                                  Entropy (8bit):6.802306968215209
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:mIBjrxJ+WKbWWvwWxNzx95jmHnhWgN7agWarn8RwX01k9z3A1Zx+XL7Dm4:mgRJ+WKbWWvvX6HRN7zrn9R9zmwjm4
                                                                                                  MD5:B8B928549CF3DDC413906F366B00A626
                                                                                                  SHA1:416B4D51DBA2452EE7160045FC0E666F52A1D15E
                                                                                                  SHA-256:7091A88BC875AE71C24CA697176F0FDB7B80BBA874E3AEDF485EE5C5A99EED8D
                                                                                                  SHA-512:3042A1A2F456302877017476E73B8095F1FE4F2B36569140C61A1D6B30597FE42CADCE6147551CA099E0A751BEBE0B2A530381D1EA3CC6A01AF49ADFD5756639
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....M..........."!..0.............n)... ........@.. ..............................i.....`..................................)..O....@.................. )...`......`(..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P)......H........ ......................P ......................................,...,..rh.u.b...A..KO(.6..3.<....*...t#.bf.:`......s....G...V:*....\u.O!2...u...C(.4.d.9G?....OY..[o./.u6.+:..H$:..7..BSJB............v4.0.30319......`.......#~..0.......#Strings............#GUID...........#Blob......................3..................................................,.....,...3.....L.....^.....a.................w.................w.................G.....I.,.......................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Metadata.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1130768
                                                                                                  Entropy (8bit):6.716178697279381
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:Ac22hrYDBSZlNmj4C3MgRjfyTMCSTWeW8kJjaJlB9vN10wyQXoVODzty2el+jmZC:AQto0ClR2TMYpO/owh3Dzw2el+jgC
                                                                                                  MD5:0AE39983665F6795ECD075CD8E94B776
                                                                                                  SHA1:8059256845DB65BBE27EE549FEF7AAC5D984531E
                                                                                                  SHA-256:3680BEAEB634F53EB2FADCEDD43FDBE0763F6BD318FB01088DECB4D0441C27DB
                                                                                                  SHA-512:62C724C83658EA11321DCBE49F9764E0D5EEBCBD7FC1FAD81B707D8CADFAA6D7BD0B64221532C6681C4A421CF4D89963846F4241A3702826A8233013A05FA838
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .....4...................................................@......8B....`...@......@............... ..................................h...............)... ..h...xW..T...........................................................h...H............text...>2.......4.................. ..`.data........P.......6..............@....reloc..h.... ......................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.h.i.s. .p.a.c.k.a.g.e.s. .p.r.o.v.i.d.e.s. .a. .l.o.w.-.l.e.v.e.l. ...N.E.T. .(.E.C.M.A.-.3.3.5.). .m.e.t.a.d.a.t.a. .r.e.a.d.e.r. .a.n.d. .w.r.i.t.e.r... .I.t.'.s. .g.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.753447262554626
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:qrP0CPxxkYWSD+WrpWjA6Kr4PFHnhWgN7a8WgHH6J2OCjVi6KrIX01k9z3ALxQLS:M0+WYWSD+WrYA6VFHRN7L6x49R9zaxQu
                                                                                                  MD5:ED46EDD045A16E38ADD5814DCA362B0C
                                                                                                  SHA1:8E9CEF564A13E2800FCE2D7B447008AB28C5BA64
                                                                                                  SHA-256:A0EF5D467731B176A48C3D6B349EFB0E120365CD6CE700E02B8F02BD0D9FF5B6
                                                                                                  SHA-512:930E14F58DF97E446A1C2CD68DB2892FF1BFEBA972A7F6C6F548202269387F18D6E26C08CBF9124E9042C81ACC073A60EFFA2427D34135523ED8643D38C26C8D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....v{..........."!..0.............^+... ........@.. ...............................H....`..................................+..K....@...................(...`......T*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ......................P ......................................+.U.........$V.....h..../...9.|R.7)..^ck?Si.'......TY..."...2!.I^#.._h...6.W'..c$..g.1'/L.~.........r....Cd..o...q...BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................3.........@...........Y...................`.................g...?.g.....g...y.g.....g.....g.....g...`.g...m.g.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.TypeExtensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):33440
                                                                                                  Entropy (8bit):6.476067104710918
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:kmSlEcREAwcc1+Wc+bgvPLfmFClits89zSo:RSlEcocc1+Wc+bgvjfyi6zSo
                                                                                                  MD5:6EB4649F4FDF0E31924DB943C0F4DE49
                                                                                                  SHA1:413C6B6D0531BDBAB8E939D8D6673C30D25AB8BF
                                                                                                  SHA-256:D700C814151CE8AFB89419FA0DA373444999993EB99BBEE129C7529C83595BEF
                                                                                                  SHA-512:5639B5E9220623D50A40A1D07FBDA9B63B718EBF7AC00B1B1C6807E4FD6464A7B61F0FEDAABC8840D6B0CF09079C6523A571D3C2F2D41FDF204559E526460110
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....#..........." .....P................................................................`...@......@............... ......................................D........Z...(...p..........T...............................................................H............text....N.......P.................. ..`.data........`.......R..............@....reloc.......p.......X..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.f.l.e.c.t.i.o.n...T.y.p.e.E.x.t.e.n.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...j.!...F.i.l.e.D.e.s.c.r.i.p.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Reflection.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16664
                                                                                                  Entropy (8bit):6.7304228518382665
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:xe1MZK+hTxxYVk+jWhHCWWWhWxNzx95jmHnhWgN7acWafnjyttuX01k9z3A1iaMb:4EpiZjWhHCWLKX6HRN7SSR9zWia87T
                                                                                                  MD5:9E6DFCB7B11307322D29628962C8DA01
                                                                                                  SHA1:C92E0A8B9C638485F1FBB8E8FF5AD0C7E79B3142
                                                                                                  SHA-256:03B4718EC3BEB7F6F5C982C41117CFF12475C0656E3F6741106C9BCA2F582714
                                                                                                  SHA-512:4D9C2C0B293C2994BABD297167584BE76438B77595B8936ADC467A54960AA06A3DD6214EA569FA74A16B8B385DA3A068C783851566248A677D73C8AFD61813E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(q............"!..0..............-... ........@.. ...................................`.................................8-..S....@..h................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B................p-......H........ ......................P ......................................VJ#...;l.?.D..Y..<......=........0.,I.e..A.x....y.."*..t.@.}#...A.G.........j.|..q0....d%&Z.....$.q+<.x.....O..=R.A.BSJB............v4.0.30319......`.......#~..........#Strings............#GUID... .......#Blob......................3................................#.....a.........z.<.....<.........\.......3.....w...U.....M.....7.....y.................................................<...........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Reader.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15624
                                                                                                  Entropy (8bit):6.785037363575662
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:SFP0axKOW4A3WIEppWjA6Kr4PFHnhWgN7acW7m/yttuX01k9z3A1ir:4PZKOW4A3WIEpYA6VFHRN7GvSR9zWir
                                                                                                  MD5:32B77094CD111197938D57101F437A87
                                                                                                  SHA1:0D19DE916A18106E63F25E9E0DA4E13519FD0847
                                                                                                  SHA-256:27125239D58403F260966DB56F490B94A6992BFC8BB7391E255134BC24B956D3
                                                                                                  SHA-512:9BCC1B8A2D17EDA2C97B2F30AFE73C73F747C2318824D93231F6E5C5E274FD724AFE0987D1C77F4F07DF4EB1165BE77C943D439D3370F62B9D932D5744E78CB6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............."!..0..............)... ........@.. ...............................j....`..................................(..K....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H........ ..@...................P ........................................i.@~N..D.D..2......B......."..\.zE'\...R.._6..v].6...._`..rS..s..fyAg.7..N..#t..oi.1......[..(...b./.H..j.;..<O.%!K.,.[BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3..................................................=.....=...3.*...n.....^.....a.................w.................w.................G.....I.=.................$.....

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.ResourceManager.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.76516043840326
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:n/msL3vWVszWSYA6VFHRN72JBmo8R9zMLArCYXo:uszVdFCl2TmoQ9zhj4
                                                                                                  MD5:D9DD864AC4B90BA4E63AF795256B701F
                                                                                                  SHA1:4DBF63E5D8089DFA2792A9A54AA91D6CC2682173
                                                                                                  SHA-256:0DA11F94B9CF32240B99497802076E9C4A37CF0F4E46AD83D63FEE3AE7B5CA9A
                                                                                                  SHA-512:8758B926D8AAB3D09BEE8AD989EAC867EB989D31D625DF6C6CA9873DBD66B0917657A358CCABDFA4A816DFB7BE877F96A36A0370A9FD58824DBC2159B04A2B82
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r............"!..0.............^+... ........@.. ...............................Z....`..................................+..O....@...................(...`......H*..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@+......H........ ..x...................P ......................................K..............h?.:..P.=,.?.......\W..`..[7.....P..L..........'.|....IK.....!.l.......=H...8b5..t.3{.qu.....D..Y...F.z....BSJB............v4.0.30319......`...h...#~..........#Strings............#GUID...........#Blob......................3......................................M.........f...........].l.................r...A.....9.....#.....!.........................................q...................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Resources.Writer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):45344
                                                                                                  Entropy (8bit):6.554040619235554
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:bp7oRtyqsSfySDzEjIPvG8lZ6r+WJR9zLjk:bS/Hjnz+0vGU3WJDz
                                                                                                  MD5:3B10AEE75EFECF3842D35624FADD1592
                                                                                                  SHA1:859B1BC05DB81D2C9E1D4BBB78497201DF4E5F10
                                                                                                  SHA-256:F6E56F2540DD97088089B7BCCDF9C8DE63B9EFDCBA8F413C4D691D0D9650B059
                                                                                                  SHA-512:EA64E351A623C949EF1E0D0780B5BC2921AAC34698FD106194E87021D2A92200BE2937F2DCBA7651386E4EA6554AE52646174477E4C3D8EC923B4222A6289FB0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....f..........." .....v................................................................`...@......@............... ..........................................@....... )..............T...............................................................H............text....u.......v.................. ..`.data................x..............@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.e.s.o.u.r.c.e.s...W.r.i.t.e.r...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22816
                                                                                                  Entropy (8bit):6.422373350096493
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1Wgb2WYaXPPGmNOWWWfmXonPQ6X6HRN7wdkyEpcR9zt5dod:F5HGmNG0LWuEpw9zTe
                                                                                                  MD5:0CD66CD03167DE27EBA44176A20B1DE6
                                                                                                  SHA1:79F3403535AC862911ECC216499325CD0349AE22
                                                                                                  SHA-256:6C14B33F85E1F559D4FEC82C188D7377B9AF11D24F17DA66BC6F30FA72ED59AE
                                                                                                  SHA-512:4027EB337FCC5271DE79FD72845EDFE65BD1D27B3D2C027E4B789D58A511A9584D0893A6D17C04C3C4209A7720B661A4916EDC62B39F700EC1AC334AC1ABC336
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....lf.........." .....*...................................................`............`...@......@............... ......................................$........0.. )...P..........8...............................................................H............text...o).......*.................. ..`.data...=....@.......,..............@....reloc.......P......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...f.'...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...U.n.s.a.f.e.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...v.'...F.i.l.e.D.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.CompilerServices.VisualC.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20128
                                                                                                  Entropy (8bit):6.579414670424758
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:CWsELWh2IrR/Tvna4EcWQOYA6VFHRN7JBR9zpO1:LS2q/Tvna49OFClJr9zw1
                                                                                                  MD5:9797EE9E57A027A698160566E9D90B25
                                                                                                  SHA1:466BF47F20DDEE5EBDB17882B6516CB0D3674B82
                                                                                                  SHA-256:F04A92B890D871BAA63CED5AAE3A993157B2EDD8AA5996607A046CFE9A4D63F8
                                                                                                  SHA-512:0FBDBF279B2E04631FA19E948D2F03499D1B7F1ACC9512B402DBBE2DA7CE12F6090D9393415E94F77D6DE380671506BF4F4BC851F88C103E344371D081CAA66A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ..... ...................................................P......=.....`...@......@............... ...............................................&...(...@..........T...............................................................H............text...`........ .................. ..`.data...D....0......."..............@....reloc.......@.......$..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...C.o.m.p.i.l.e.r.S.e.r.v.i.c.e.s...V.i.s.u.a.l.C...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18184
                                                                                                  Entropy (8bit):6.6208527927079635
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:J5y7UByGe9xCEW60W8eNWUYA6VFHRN7B/7R9zb32:faUByGeY0FFClBF9z6
                                                                                                  MD5:BA4C37FBECE8728A70A1C5F21154BE54
                                                                                                  SHA1:2686CE405CA08FBD43660D80E4475BCCBBCC1D51
                                                                                                  SHA-256:58B0A3FF1CE0C24F66A2423883700E12CC92952EE14AD27050351739271225CC
                                                                                                  SHA-512:BD60A56C2A6E6D33BA3B103ED0C444781A8EC038CD47EA0F4EB65146E922F52F0EF7BAAF6DE33807A00A663F7ABAF495346C1C649A4FBEFBFD2575C527AFA5E4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:_..........."!..0..............3... ........@.. ...............................B....`.................................<3..O....@...................)...`.......2..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........ ......................P .......................................j.*....T....D...)Q.rrZ1...@....Q...f.6#XWm.o)..\..J}kJ^.t.c..ED|......)..w9|.}.b...6.._2...b...$..i...z........0..)..BSJB............v4.0.30319......`...$...#~......l...#Strings............#GUID...........#Blob......................3................................O...............Z.............m.........,.W.........5.............p.....p.....p.....p.....p...E.p...b.p...z.p.....p.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Handles.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15520
                                                                                                  Entropy (8bit):6.812071918414655
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:4915xIWArmWJYA6VFHRN7DmOEBmo8R9zMLlt:s1ehFClDmlmoQ9z8t
                                                                                                  MD5:ECD54205E9F9C25C99C25583E31BF19E
                                                                                                  SHA1:CBFBC8186DDDE62ADBE8323A68354A04B2C5EDC4
                                                                                                  SHA-256:020BA76742ED8911E167343EE9D1BED08C4F3F21C8DDEE0A306D163FF6B58FA0
                                                                                                  SHA-512:F9C24AECB0439B8C1EDBBBF6A3E6E90F69DB2B01225D7CBB444F4E757C6625900F695057CCBDB4DEDA40C7B24BE879DFB61324A0B1D908DDAAD9418E40FD5D92
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."!..0..............)... ........@.. ...................................`.................................|)..O....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................L...i.8L.G...H.~..0*K`..d.V.......o.....Qr....P.........i$.Qb...;..<.....H..:..O....{N.w..!...Y`..8o.Q...-V:.E#.BCE .RBSJB............v4.0.30319......`.......#~..L.......#Strings....P.......#GUID...`.......#Blob......................3................................................(.x.....x...f.F.................'.........L...........a.......................H.....z.....|.x.................@.....

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):31904
                                                                                                  Entropy (8bit):6.4408952831148465
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:NWHhUWxi5ciERQXIG6KMWFYpmGRuOWB/r1YA6VFHRN7ZE76R9zqgGcwH:gHpKMWFkmGsvBhFCli729z58
                                                                                                  MD5:7BC6DA57F4A287DE416B8DF0C1ECCF44
                                                                                                  SHA1:355DB90FE8B41076042315E3F8E967A3608DD2C6
                                                                                                  SHA-256:49314E6C92F60098842088CC69B2EA044F28EA571983191B6154F327302066E3
                                                                                                  SHA-512:C9B29F0DC2BE91D61EE4AEEDEB20F8C2526E0CED3A191E565AE118769101B83174AF091EDF9892FC10A39A199B6FC6B4A46A54E561BF24F76D74D23B0A699166
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....C..........." .....H..........................................................r.....`...@......@............... ......................................H........T...(...p..p.......T...............................................................H............text....F.......H.................. ..`.data........`.......J..............@....reloc..p....p.......R..............@..B............................................0...........................p.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.InteropServices.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51872
                                                                                                  Entropy (8bit):6.472004749878635
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:C5oK6fKfIPMWW/z2rg8Z61rvZqhwFLUFMjVYuPkKFClZts89zCVi:C5oWfIP8z2r1GqhwFIFMjVPPkmibzB
                                                                                                  MD5:268A59245835DBFBFD3C23BF744D39D5
                                                                                                  SHA1:55874A6B8EEC97204791FE1DCB081E85E50CA1C0
                                                                                                  SHA-256:0CD3306A5380E59B1C61B16461DD8A0A76E58D677E7DA1EC3741BB64EFA25AAA
                                                                                                  SHA-512:6929A0F97B645AE062F6FDE1F8593AA3AA4E89F14BC9A253718615477FE79D5DE60AECFE4C33B32B0579719AC2AC241A5B243D3CA0063ACB1CDEB984C858756A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... @............" ......................................................................`...@......@............... ....................................... ..P........(..............T...............................................................H............text............................... ..`.data...............................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...I.n.t.e.r.o.p.S.e.r.v.i.c.e.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Intrinsics.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16656
                                                                                                  Entropy (8bit):6.679809972102448
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:G1d+WmkLW/YA6VFHRN7IUmRxB+R9zrPGkq21:4EFClIUmRxw9zb/1
                                                                                                  MD5:115B64552BE0B3A33E0645EB04D78D65
                                                                                                  SHA1:A7EE75D3913B34AEE6516DCA723FF5A0BDD46B78
                                                                                                  SHA-256:9FA85D63880EB178AC4D425F54E3A25A2E863EBF8DF62ABDA3333AD711B1ADAD
                                                                                                  SHA-512:93D02C37FA25936EC59F3EC1905BB071576044AC4347233833E7D692EF8FF5C6110B836EE92E5EC59BAFB8CC291185DCF694DA3C0493010A85B2993D55B39E3B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....#..........."!..0..............-... ........@.. ..............................j{....`.................................d-..W....@...................)...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P ............................................k"..%.oX...a....J..u...........Y..<..W@.t......,..b.#WO.!.......#m..:..0K.4....*&6.."v.."...n...C...A.b+0K.#..gBSJB............v4.0.30319......`.......#~..<.......#Strings....$.......#GUID...4.......#Blob......................3................................9.............................p.........?.....g...................1.....1...}.1...4.1.....1...X.1...u.1.....1...(.1...O.............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Loader.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16144
                                                                                                  Entropy (8bit):6.728895977359552
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:v0SQa4xxo6VW5bGWavpWjA6Kr4PFHnhWgN7agWM4DyH8RwX01k9z3A1Zx+XL7DnK:zQ36wW5bGWuYA6VFHRN7d9R9zmwjK
                                                                                                  MD5:B7D249F4C68AD5B4714FEB092732FFF4
                                                                                                  SHA1:B01157C38E9F36D0906ABA7292E546DAFC1059D5
                                                                                                  SHA-256:C58ED48A3B29E49D9DBF47338192E91F2CE16870973F6C20B316BA7747738497
                                                                                                  SHA-512:45FDA399159E5E7F0121A4672F36D3CA9B9CA24D66E810B0838C6D5BF331B8AC73905EBABE756F850E4E38BF96EF09ED0A0F08183067EF708447E0A136E61E31
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............*... ........@.. ..............................f.....`.................................8*..S....@...................)...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p*......H........ ......................P ...............................................9j'6^.)...]..z......EC....M..}.-.A....`.....L.i..1.o........7..{...k...0N.<<...[Y..?..#....dB<..Nk.l.....\..3.\r-BSJB............v4.0.30319......`... ...#~..........#Strings............#GUID...........#Blob......................3..................................................,...4.,...p.....L.......R.........t.....l.....V.....V.................................................,...........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Numerics.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):221960
                                                                                                  Entropy (8bit):6.873049679860797
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:YjBg53qIzkOGjMD1jUZVEJrSlLXuDcWroW6p:8BgxqIz1GgDRKVEJO5uDcWji
                                                                                                  MD5:83067009F7425B98D4BDF066B6124469
                                                                                                  SHA1:DCBDD19E21C0734BAB3804908585C96F06E06CE3
                                                                                                  SHA-256:E3EFC3989359B0B0F66D1BED6B390F47B086E854FA1C96269244B353986A23BC
                                                                                                  SHA-512:B4CE3EF0C9E5B1288AA3BB159769C557B2409C34FA7250FA0FAB54A0C310031D834C6F948FF7DA4D27381AD9259E5E4285F414525CADAC64ECE080AAE88474CF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....0i..........." ......... ...............................................`...........`...@......@............... .......................................T..x....:...)...P......P...T...............................................................H............text...1........................... ..`.data...P....0......................@....reloc.......P.......6..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...H.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...N.u.m.e.r.i.c.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...X.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Formatters.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):322840
                                                                                                  Entropy (8bit):6.6930952327752244
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:J2BNIzFraZFu5UJgNFmZzq5tqdKfB8wLyHfHwO/S14CFYgbj:eupaYUJgNFmZc+L/HwOsdD3
                                                                                                  MD5:118E45018A071C186DAB988B8DBB197F
                                                                                                  SHA1:9941E8744E34A5C932A1C76EB8AE8B1E7ABB3513
                                                                                                  SHA-256:3C9BAEE2E1D99E4145E3A3B26F9F53F7D1665239502AA16EC54F3666CDF0F84B
                                                                                                  SHA-512:A09C4219A56AEC62B00715E0DBBDBC899C089DBA1A834DDBBC5331B2840F24FE2A67B0714852D7F40248FC3C34928956AA3445B7A9B3CC752A54BD82648E9E3D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..............." .....p...R............................................................`...@......@............... .......................................o...........)......(....&..T...............................................................H............text....n.......p.................. ..`.data....I.......J...r..............@....reloc..(...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...F.o.r.m.a.t.t.e.r.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.714776898123936
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:QHqvyVWbumdB5W6fYA6VFHRN7pHR9z775md:AMyWXdBDFClj9zv5md
                                                                                                  MD5:1C18ECDFAFDCB5BE7926AC0444104990
                                                                                                  SHA1:77F654018ABC84CB8212E8D32BCC44A50C965BA2
                                                                                                  SHA-256:1A063D6F812489C64273AFC760B06C04E04BE1C140E7B196A0946D0D0175C8F2
                                                                                                  SHA-512:5AB501B82128514F718DB64796AE701CC612B7FAE62C0427EFCDD29869FF2A7DE6D257254CA785278EC459FD340DB770A14FE87E28B8C67409A95C0296DC7DE7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....]..........."!..0.............~*... ........@.. ....................................`.................................,*..O....@...................(...`......h)..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H........ ......................P ......................................LJ.v.8't.Q.|Y.u.....?...R$.Y....V.y..#c.k...r../....%{%c.N..]$..=w....C.O..^|.&..u..&..l...... M..`....'|...e.h?..TR....\..BSJB............v4.0.30319......`.......#~..|...d...#Strings............#GUID...........#Blob......................3............................................................3...........^.....a.......O.....O...w.O.....O.....O...w.O.....O.....O...G.O...I.........................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):28832
                                                                                                  Entropy (8bit):6.457861200692383
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jHWFI0JBrWtmtrwhpKH0sdbnMbKF+87makO2akSMHHDGEHsfbEbIYA6VFHRN7hBC:jqDJB+mtrewOW+8dxr1FCl7moQ9zV
                                                                                                  MD5:288B58AF49B3F25FE4BDDD61A7D87249
                                                                                                  SHA1:2CC6789B40BE3ADC7C48C22A469B03294909ED1B
                                                                                                  SHA-256:52E0F82696E628D652B2A88D3B82281B48729FAE5DDF171DC8A564B3C7C4402E
                                                                                                  SHA-512:8B8A7BC267A7CD5A4F65AE0951139B886C472E374769E2367CC47B658035C734BA73254D148EEB51FD8520F73708A77C3CC7A446CC2FD4944AB74B015383FF7C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...!E!..........." .....@...................................................p......s.....`...@......@............... ...............................................H...(...`..(.......T...............................................................H............text....>.......@.................. ..`.data........P.......B..............@....reloc..(....`.......F..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...R.u.n.t.i.m.e...S.e.r.i.a.l.i.z.a.t.i.o.n...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.Xml.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16544
                                                                                                  Entropy (8bit):6.7468972537613645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:0YklmI8NQv4RMWsBdBBgWsYA6VFHRN7PtHNsAR9z/rV:TklmI8NQwRibBBiFClFts89zzV
                                                                                                  MD5:BA0279DD1B0B0EB313A8BB8E55F06B3D
                                                                                                  SHA1:A15B141F593ED49233423080E257888DEAEA2538
                                                                                                  SHA-256:6DDE7015FCCB3AA24D6ADA31AD6796688205902195CE2CFB17360FD08A7B9204
                                                                                                  SHA-512:B76E0511DCA2BC0AF8F4A0C3DF6673DC6A2F932065AEA157219A55442F3D5606A633D77DEEB931741E3750CA8B24D6FD261A34D4A2A46CAD7E16470100DA107B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............-... ........@.. ..............................5.....`.................................p-..K....@...................(...`.......,..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........ ......................P ......................................$..s..*./~?$.r.0L.....|.Q^x...z..%W$~..ZT..(.\.. X.A;...ZoW...*(....s..W.V.-.i.../.t...().....D3S.7...h........9..H....'r..QBSJB............v4.0.30319......`...d...#~......d...#Strings....(.......#GUID...8.......#Blob......................3..................................................f.....f...W.;.................Q.........=...........R.......................9.....k.....m.f.......................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.Serialization.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17568
                                                                                                  Entropy (8bit):6.623513768064609
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:P6EvDj8NdwiLWgM54BHWFYA6VFHRN7oZBmo8R9zMLp:P6EvDj8NeiP24BuFClWmoQ9z6
                                                                                                  MD5:31BAEBC3E399093FB5925DB986172010
                                                                                                  SHA1:7ED9BB1471103CA17C5C5E4967D9EB09CC71B6E3
                                                                                                  SHA-256:6CD19434D4C97B20ACEC04EB372D08480072D16EB73EAB23D181854A8E789F3E
                                                                                                  SHA-512:232C4210C8C568346A2B342AC28EBEE631B5185CD8F2BF24F347EDBA02046F53887A0F9D4CDB89E6EC4B34C1E9FB65437E24728395B8A1F4E174359751D73CC6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p............." ..0..............0... ...@....... ..............................%.....`..................................0..O....@...................(...`......./..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................0......H.......P ......................./......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....................f.......t...............7.......t...=.t...M.t.....t...B.t.....t.....t.....t.....t...e.w...&.w...r.........................T.....T.....T...).T...1.T...9.T...A.T...I.T...Q.T...Y.T...a.T...i.T...q.T...y.T.....T. ...T.....T...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Runtime.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):42656
                                                                                                  Entropy (8bit):5.805080563655079
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:wBV0jdpFKYl5f4bGRi2xVbcVT4pEQPFClV629zR:MedGYl5f4bGR3G0mQ9ioCzR
                                                                                                  MD5:3C99EB88F752B9D377C96ABE31B7CC06
                                                                                                  SHA1:3B7BB82E17FACDBFF666243E57D3B19B2565D09E
                                                                                                  SHA-256:787FF92525E6F78436E27C144BF888EE9714F07BF0ADD7EB8BFE1F7326E31810
                                                                                                  SHA-512:07B15FE4A1576E5346FB05F69276A11F9F94F9CD9131A25F8062631C276765C8445912025B9C633B81E5D4544261A8B5B664B87A679E6613CC91C4E21A6917DC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...HEb..........."!..0..t..........^.... ........@.. ..............................D.....`.....................................W.......X............~...(..........d...8............................................ ............... ..H............text...dr... ...t.................. ..`.rsrc...X............v..............@..@.reloc...............|..............@..B................@.......H........ ...p..................P ........................................d.....;......M.......i.iT..m{.\..u;B......(.\.....:......(m..:..d*^........^K.gY..t.wy.:..]....3..*..2...3..,........8.BSJB............v4.0.30319......`...l0..#~...0...=..#Strings.....m......#GUID....m......#Blob......................3................................T...............'.[3..".[3.....2...3....e.....>.. ....<3....<3....j!....j!....j!....j!....j!..q.j!....j!....j!..R.j!..&.[3..........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.AccessControl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):215320
                                                                                                  Entropy (8bit):6.694713736900479
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:2GFAFB57nGa7V/aDGB0krnx7lZnFW2iBeVICTiupU8TVUnVZ5PDMXZo1cQtSckOi:A7GaRaiBv7lZoeXZ/MI1
                                                                                                  MD5:1CD883D7FC4B80840F269602EBE7EC72
                                                                                                  SHA1:7301B341569A5FB6085795EC5DC016B5CB93ACDB
                                                                                                  SHA-256:91D7D0C8DE0D1B387200906EEF67D528BBCB8EC0D9726F292B6EBFDDA71E95DC
                                                                                                  SHA-512:9CF35D3E26F254180658F42C2BBDCB7EBDDF9B736F1F17C60C9A83912D477A9604C954C288303CD865E34C53D6B641EBFE90A9AEE4723E2D64C52614B12653D6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...-a............" .........$...............................................@......[.....`...@......@............... ......................................@W..p.... ...)...0.......#..T...............................................................H............text............................... ..`.data...n........ ..................@....reloc.......0......................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Claims.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):94368
                                                                                                  Entropy (8bit):6.447995362526241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:HeNGF95xttKvsq85yOuX3upafbqb958kGOQwQ7rzUU3q2bP6MOVK1iKmVzk:HeIF95VKscOuX3upEbqfyOVoOY
                                                                                                  MD5:649F20AA9F4B7DD23EB7160023B0A56E
                                                                                                  SHA1:A553D8B8A1EC4696616BC9D34CB33ED9AEBBB04C
                                                                                                  SHA-256:6E6FFD7211B25A806A466B48A729818A7A7592570D2BF926B8AC04D078220102
                                                                                                  SHA-512:C84C26A99CBF44831776F8CE7739112F385F779DEAF7F2256D4824EAF1BC013D6EE18B7B92F24B4D2257FED87ECBA8EB6BB1209795FC240D752FD2B5386F9641
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....<..........." .....4...................................................p.......6....`...@......@............... ......................................$-..<....H...(...`..<...p...T...............................................................H............text...T2.......4.................. ..`.data...!....P.......6..............@....reloc..<....`.......F..............@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.l.a.i.m.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Algorithms.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):808712
                                                                                                  Entropy (8bit):6.667176908618659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:p9Dux8VLSQjVqSlDrd571xOEc8wRBul3v8x5d4BSV:ptux8VLSQjVqSlDrd5n+BuZEx5d4BK
                                                                                                  MD5:A266B1B3765863C6F80A8A7DA92EBE06
                                                                                                  SHA1:2CE8B15DA8CEC846F447B7A1E3486883784DA143
                                                                                                  SHA-256:19595880A932FC70CBF4DC31C122E3341DFA6CFB9E3EE9999D66D861C4B03F66
                                                                                                  SHA-512:E01C2F91C20361D105CFF994E62D1AAC1D7788884F3DD076BEE287503958F23F182B60A7A5C7094B387711BC0B2032AF8A2D31FC8408D85B2DF91A0BFC85767E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...q=i..........." .........................................................@......[.....`...@......@............... ......................................L)...Y.......)...0..$....C..T...............................................................H............text............................... ..`.data...#~..........................@....reloc..$....0......."..............@..B............................................0.......................|...4.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...p.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Cng.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):486560
                                                                                                  Entropy (8bit):6.689433219916561
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:D0pdtbsk7ZTs0ilUfa0BEuUWZwgZExhelA1z:+DNTvih0BEuUWCgZExhxz
                                                                                                  MD5:01DA5B74F8CEA47CCDD769EA34B2E7E7
                                                                                                  SHA1:A9D2B1983176ADA553B4B608F2F5515432718425
                                                                                                  SHA-256:7B5C8CB2871FA9C53F20CB5316906CDD610357C904734C1E4B5BCC738FA29CB2
                                                                                                  SHA-512:9C260DF60E5F631751C2761E58A27D019E3515AF594C44557B36EA9A3CCCB976014C3767ED680637EFDA20D0EE77FC38ABBD7EF94186E17B3BE27D9566B10DF5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....]............" .........Z...............................................p............`...@......@............... ..................................h........2...D...(...`......P0..T...........................................................h...H............text...5........................... ..`.data....P.......R..................@....reloc.......`.......<..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Csp.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):189600
                                                                                                  Entropy (8bit):6.633371366781308
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:JNEmWBQH04BekCQUVP2xrwOy09JN/KBWAUQ335BotelqKaMJDBy/x9u:/WBQ3E1kjUBoteJM/xI
                                                                                                  MD5:73744EEF11A5BD7096F5AB01661A1CF1
                                                                                                  SHA1:772C4483635EC0A417139F8955A943D3D02BBBC9
                                                                                                  SHA-256:8FA0C869538128A9FB2A95AFA1ECF51D43A955A0EF719D9613E420DEDDBC3448
                                                                                                  SHA-512:14E14D4680AA4EB6F1AB2F0679B3B4E4B67EB012D32D03BE51DD116B0264547077C78F41DDA1504B9C048FC17158BFA763A363A5A8C1115B3905E4513FF890BC
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....b............" .....................................................................`...@......@............... ..................................h...lO..X........(..........."..T...........................................................h...H............text.............................. ..`.data....).......*..................@....reloc..............................@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Encoding.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):93856
                                                                                                  Entropy (8bit):6.408085753053331
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:9EhT10RdVH8EOY7wmlYcNLyoOeSRzmIevYcfiLrszHc:92SGEOY7K8LyheSRzmdvYqEAA
                                                                                                  MD5:081BA64231096D11B96E241626C3EFED
                                                                                                  SHA1:BA4F7864F8465DE68F6DE98B96FBE6E7444C1B1D
                                                                                                  SHA-256:B661157A26DACAAF86E88AA9E7443BA9FC19D1322B9E262B0A032320666B5E57
                                                                                                  SHA-512:4DCEAF18F9460650B7DB30FDC9A3CDF512FB9B97B482ABB0CCE54411B4A0572602F8337D4ACDB699CEB268DE11FA791B1D352276EF79AB71ABFD81BCB09ED9CA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q............" .....&...................................................p......5.....`...@......@............... .......................................*..\....F...(...`..(.......T...............................................................H............text...C%.......&.................. ..`.data........@.......(..............@....reloc..(....`.......D..............@..B............................................0.......................p...(.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...d.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.OpenSsl.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32032
                                                                                                  Entropy (8bit):6.245677631794701
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:M9WAmDijRWtbwPV0D/F/pQ+1+HCeqtwlLYmxNOcVPFNNPUHX6HRN78FRxB+R9zr8:uyeqylLYm71VPRc3W8FRxw9zb0
                                                                                                  MD5:7F6966066BECB9A1F73DA461E07A036E
                                                                                                  SHA1:D983B4C573D241577E4CD7938CF6003D11B2D8CC
                                                                                                  SHA-256:7A9399BCAD3997D9CEAD01BDD689D3B92DC68E01601446510F2BDD9B4C3BF8A7
                                                                                                  SHA-512:13313E6EEC899B4B500501A866BE5742743C78AA6252270399DEBAE200A9D88ABF5DEC10ECF3BC8850629F2BE20F7B45D71654799418E3478A14271936846EE7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....{............" .....N................................................................`...@......@............... ......................................@........T.. )...p..........T...............................................................H............text...'L.......N.................. ..`.data........`.......P..............@....reloc.......p.......R..............@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...b.%...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...O.p.e.n.S.s.l.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...r.%...F.i.l.e.D.e.s.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.Primitives.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):134928
                                                                                                  Entropy (8bit):6.568383371998579
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:sspRk/BZX3krpmsUjMM+JbVUonV0hcbGWbrrrrrrrrrrrrrrrrrrrrrrrrrrrrr+:9RMBZXCPMRcbGnt5Yq
                                                                                                  MD5:A66428FFBD2EBDED73C9BC8A8D0A76B4
                                                                                                  SHA1:988AAC80A437781CDE6596CC654DB9776FF4AD84
                                                                                                  SHA-256:914CD0D9270A667393FC5F0F6E558887D18510466B42FF4DDAA0DB415DC3AE2A
                                                                                                  SHA-512:B7B20F4ED2630B9AB9F451A64D3FD9E82DD2AB64FB33B66BF01BA239C22214AD0A895C05DA2571BF6C46B7E3FD73E4609626E3EDBFCE08C0591F5F2D03E65E16
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........(......................................................<.....`...@......@............... .......................................;...........)......d.......T...............................................................H............text...T........................... ..`.data....".......$..................@....reloc..d...........................@..B............................................0.............................4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...h.(...C.o.m.m.e.n.t.s...S.y.s.t.e.m...S.e.c.u.r.i.t.y...C.r.y.p.t.o.g.r.a.p.h.y...P.r.i.m.i.t.i.v.e.s...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...x.(...F.i.l.e.D.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Cryptography.X509Certificates.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):569104
                                                                                                  Entropy (8bit):6.706114555400102
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:dcy1XS6la/9irY6jyFOagRMb2HwpYDgP7xmBVWUw7nzNZZmbS:1XSgw9A6YDgP7xmfWUwrTEbS
                                                                                                  MD5:7ED212CA1B7E3CECDE6B278B6A7B960B
                                                                                                  SHA1:8280B9E10FCB9263A3112E43C80F988F8CECE77A
                                                                                                  SHA-256:FAF2D2080ACB553C9BF44796F2A5DFD2FD9B4D5C273A940266EFF26D6677CD02
                                                                                                  SHA-512:6E5D79A1EF29DFA58242BF52154EE0A19338ECDFD064A250056FA46F5195CBBF96DF785B1AFEF689C41BECDD75BC420C1E7EF47102861026F951A8966E688A62
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ................................................................v.....`...@......@............... ......................................`...@8.......)..........x4..T...............................................................H............text............................... ..`.data...............................@....reloc...............z..............@..B............................................0...........................X.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.Windows.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):151816
                                                                                                  Entropy (8bit):6.6623046410034386
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:stiUGF+5xnwtF9cOtyeyvsuA1Hp7cyeo7Y3pN:OGAeSwasumLYL
                                                                                                  MD5:ACBCB2A44205E6CA75E4084C1CB1CFF5
                                                                                                  SHA1:846E040AB6E325EBA69A26C0B89BF9C018D5AE65
                                                                                                  SHA-256:56E35F6ACFBA99205CF2F27E9834B0B726CBCCA38A122C6CFE1ACDE1E398AC3D
                                                                                                  SHA-512:7C956DFE6C668C1466BC59F4F11A4C39325C3274B2198BEC979F3A2505BED08D16474E57843CD90ABBA930F9634A8D437CFB10FFBD9F3263C61E9344D0E1659F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...]............." .........$...............................................P......P.....`...@......@............... ..................................h....F.......(...)...@......x...T...........................................................h...H............text...e........................... ..`.data...U.... ... ..................@....reloc.......@.......$..............@..B............................................0.......................X.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........p.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...L.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.Principal.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15520
                                                                                                  Entropy (8bit):6.823849132456246
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:n8V/1Wi4fWcYA6VFHRN7ABmo8R9zMLWN+:nIY7FCl2moQ9zPs
                                                                                                  MD5:16DAC3D892053EF71C67B2C9BDC7F403
                                                                                                  SHA1:EB39F7E2AED3922FB475B2B0CF39ED5BC16A1168
                                                                                                  SHA-256:73CF3680065CBCF6D27EB607CEF08704763EC18280F139D973F4BFC6E6C3E508
                                                                                                  SHA-512:0FD4172EAC020227EDF2AB1A79C790364789C0595E5AC215F8E21527EACCED64F901777BBC30E321D68344F7DEC9E3046C479BECD8276ED2FD7ED8A59BA98444
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............)... ........@.. ..............................J.....`..................................)..S....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ......................................Ms.C"/.Y.H....5 ;1.......cO.Y...1...r.L.P.F....."..{F.d...;.ek!m...H..vA.oa.........[.z.j.OT^.[.......*..:..%.>t.F..M..=PBSJB............v4.0.30319......`.......#~..X.......#Strings....X.......#GUID...h.......#Blob......................3......................................F........."...........;...........f.......d.................k...!.k.....k...[.k.....k.....k.....k...B.k...O.k...v.............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.SecureString.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15520
                                                                                                  Entropy (8bit):6.809520266690687
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:1eraiTW1A3WxYA6VFHRN7ectHNsAR9z/y9R:1eraO+FCleCts89z69R
                                                                                                  MD5:B2332732ED17ACFCF4F331606CFD5B40
                                                                                                  SHA1:96455F14473711B41FC7F9E609E275010445E241
                                                                                                  SHA-256:DA85E41265986C66CFC87A6147AD6F699BE06E17318CC7228E5BC06782AAB803
                                                                                                  SHA-512:C5B85177A18DB48D74D2786F8B943D8104DAE3E30CBC6218C9834C93E8246F14D90B7428C0553B52A735AA5585A28983D8EF52018817BBC56C4D68CAA569CB54
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....N..........."!..0..............)... ........@.. ...............................|....`..................................)..K....@...................(...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................k.}.....@.....pg..N.e.W.=..8A.1..P!Mo..U.....GI{..K.o...@;^.......U.I.aYS.I.WB.4....p.80.6.....g..D....ov(.....>.gh>w4!EBSJB............v4.0.30319......`.......#~..P.......#Strings....4.......#GUID...D.......#Blob......................3......................................2.....................3.r.........^.......S.................Z.....Z.....Z...S.Z.....Z...w.Z.....Z...:.Z...G.Z...n.............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Security.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18720
                                                                                                  Entropy (8bit):6.611731936380794
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6+rueDWLr3WssDW5kpX6HRN7nd9R9zmwj+:weDW/0MyWl9zLj+
                                                                                                  MD5:7222BD0ED170B937B857CDA48DF38B29
                                                                                                  SHA1:EDE40D82947E7139CB96AD5E941D193AB8D25116
                                                                                                  SHA-256:91B24F7E448513335225FF739391C30CF398DFBCA53D704BD3026AD174EAC7E2
                                                                                                  SHA-512:0A20F683926A7328C74CA5552FAEFB12348DDBCD4347B32AC17A0F26FC7641C66654CEB72951338C2AD7420E097A238F62CFA372B45A1DA81EDCD8DDCA88F1A3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2!..........." ..0.............^5... ...@....... ..............................A.....`..................................5..O....@..X............ .. )...`......44..T............................................ ............... ..H............text...d.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B................?5......H.......P ..d....................3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......H...#Blob............T.........3....................................O.................p...~.p.....;...............O.=.....}.....}...e.}.....}.....}...'.}...D.}.....}.....}...n.................7.p.................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'...y.'.....'. ...'.....'...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceModel.Web.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17688
                                                                                                  Entropy (8bit):6.6159722799904985
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:RiSEs6760DX88kgHWGlK5WDWVWxNzx95jmHnhWgN7acWcqcADB6ZX01k9z3AvB2Y:Rx4HWyK5Wi2X6HRN7HqcTR9zi2ep
                                                                                                  MD5:0BE0FC7792DD4107FACCBB6C5E819429
                                                                                                  SHA1:7CE6C761D7197927B0C9B670B25F95FBA8677008
                                                                                                  SHA-256:9FC7DB5B190DDADA2AD2B2C5C0B428D14CD107A868B0B0D06BF83D7E4B2B1187
                                                                                                  SHA-512:50AF80A385BCE161506892B1FF136AD28C4AAFD18B27475F1362FE4FD0CA5583B00F3D1400E2CE0BBD1C6526793596500F8C90B6F4FC60E25687BCDFE91D3F2A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....`Q..........." ..0..............0... ...@....... ..............................;.....`................................../..O....@...................)...`..........T............................................ ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H.......P ......................`.......................................BSJB............v4.0.30319......l.......#~......,...#Strings............#US.........#GUID.......P...#Blob............T.........3....................................&.................................%.....?.....^.......S.....S...t.S...+.S.....S...X.S...u.S.....S...(.S...D.H.....H.........F.......{...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ServiceProcess.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16656
                                                                                                  Entropy (8bit):6.719664758889804
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:KlLKpWniklpFWTYA6VFHRN7eRxB+R9zrPGXMBu:KlcFCleRxw9zbVu
                                                                                                  MD5:6D61C8D8F949F7899E5BDF02A9186D52
                                                                                                  SHA1:3BF8837A00B740FEC56E538BBE0758323E6BE5EE
                                                                                                  SHA-256:1765BF825BD322CD3F2C9C4F282F6B4B2874AB5F54424CF88BAFDCF3806B650D
                                                                                                  SHA-512:F3219549CC1222130D4560C06EEDAD0D393F2C5F3456638FA8990D47D919BF69BB5895E2E64CEFB24057F257219B9F9BDC7946D930C098AD6E01ED37CD297607
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ..............................o.....`..................................,..O....@...................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ......................H+......................................BSJB............v4.0.30319......l.......#~..<...X...#Strings............#US.........#GUID.......P...#Blob............T.........3..........................................o...........w...7.w...v.d...........U.........~.....B.................a...................................".....\.H.....w.................^.....^.....^...).^...1.^...9.^...A.^...I.^...Q.^...Y.^...a.^...i.^...q.^...y.^.....^. ...^.....^...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.CodePages.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):871072
                                                                                                  Entropy (8bit):7.503965752504184
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:C47xn7kZQ6kliVreJIHHr0tRYbKr2KtG9VKABC6rPOREDfP7/1qilhhWn8:CK9km6k/IwRYbiBeKGCtREDrZlLI8
                                                                                                  MD5:A297FAD4F040D3BE6A776823222370A1
                                                                                                  SHA1:7B21ABDAC2864A1D23580028F106ADC07D7FF079
                                                                                                  SHA-256:4C10D3F1879DCB256A5F55A4975160CB01D87B0857A71BB76C5D1B94D9735C58
                                                                                                  SHA-512:E0926A9C29E7FFDFBF6054A73CF5E0A102ECC8E1C0833E3AD67EB0F519D0D26B2C704292C19D66548AEAE1A4D49FC548CAC7D7426CB48FE5476343196D639D7A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...EL*..........." .........&...............................................P.......f....`...@......@............... ......................................LJ..L...."...(...@......."..T...............................................................H............text............................... ..`.data.... ......."..................@....reloc.......@......................@..B............................................0...........................D.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.713017326605703
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:RTZv49xxhXW6aJWA0MpWjA6Kr4PFHnhWgN7awW9xu3O6YX01k9z3ACTEmv:Rtv0XXW6aJWCYA6VFHRN7MR9zpTr
                                                                                                  MD5:9BA8E74518DE0D3C89CFD095D76774B3
                                                                                                  SHA1:4D5C19C83AAF0358557302598B305C92245FEEAD
                                                                                                  SHA-256:B577A2571AF2A31531E7AC1F42AD0E82D9ED6F0C51C91DBCEAE151974FA9D733
                                                                                                  SHA-512:A5F03F6F7E9D80662EB904E52A362269964AC2BA7D7821CEE86330BE80CD55599FF929DCB041870CA9EA10332503992CFB6AF74AF7CF78E4067D71688577D436
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^............."!..0.............n*... ........@.. ...............................<....`..................................*..O....@...................(...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P .......................................E....W..H...ln...5.c..h..+}.-.. W..X...>btG..!..J...^`.[...zj..65.K..*n<.>.NG*y........3F...(o.p.X??}.qH..I.c..:.9.*8.BSJB............v4.0.30319......`... ...#~......H...#Strings............#GUID...........#Blob......................3......................................v.........I...........b.............H.........$.....b...........H...................................i.....v...................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encoding.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.76321590690436
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:Rc+gBIocxxXUWfONWjypWjA6Kr4PFHnhWgN7awWtH2Wxu3O6YX01k9z3AC/Uf:SGNUWfONWOYA6VFHRN762gR9zp/Uf
                                                                                                  MD5:DE2D5FFC7DA3DDC810E5AE721879C79A
                                                                                                  SHA1:0017D411EA8D53ACF3286062344AE92966B74D71
                                                                                                  SHA-256:2A004633F91DC186CB645312BDB34B8148244BF65D9F4EF64EA0272581DF0E00
                                                                                                  SHA-512:0C24AD14FF77A63B3A829EFBBA88E5C9DF6DD74E30AE6BABF9F4F05B5F986BCAFA1572835BD20E49B5560919B313FF4EFC6862ACEF3707BE8FD73495A75F0120
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._............."!..0..............+... ........@.. ..............................P.....`.................................P+..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P .......................................3.f..v.........M?|.Qh.d..9i.h].*...c2.."..f...0......5...4..%.`j.L.....~P.S.M.....y...Y...x.....0..|.!.:....... |........6BSJB............v4.0.30319......`.......#~..........#Strings............#GUID...,.......#Blob......................3................................................"...........;...........f.............................!...........[.......................B.....O.....v.............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Encodings.Web.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):131232
                                                                                                  Entropy (8bit):6.509086593989503
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:mx6SikhsB8/IZL15zgxiFS2NjNc2aBor8c5qUCNr6iAoAnlJH9RCbFAgynBRg9Pl:mx68p/UjfYxSwKqqOAl/RNlnzg9Ra41x
                                                                                                  MD5:7D2E013F3006010DB2765A9FEFF1B6D8
                                                                                                  SHA1:E2C9523830A3CE2D5F600303307527A1C509F05B
                                                                                                  SHA-256:4399526804152950F4BBE11411495790A03DE100EE484E42E0E35F5E211C045C
                                                                                                  SHA-512:3191D9C4EFB3DC14D8BF13349A10DDED28E7647628ECE3722B0CF2656A8F1F135936A6713C5A685A701B6ECE4278EC57C4BC4FABD3B56A65D5EA00FDFECFF59A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...n............" ......................................................................`...@......@............... .......................................0...........(......,...h...T...............................................................H............text............................... ..`.data...K...........................@....reloc..,...........................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...Z.!...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .e.n.c.o.d.i.n.g. .a.n.d. .e.s.c.a.p.i.n.g. .s.t.r.i.n.g.s. .f.o.r. .u.s.e. .i.n. .J.a.v.a.S.c.r.i.p.t.,. .H.y.p.e.r.T.e.x.t. .M.a.r.k.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.Json.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1483016
                                                                                                  Entropy (8bit):6.815422206418889
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:6I8nUX27d6bHUw33pdQh6I1T3bpbh4kiiqggS:6Ip4EP3pWh6ybfn
                                                                                                  MD5:DF5F08F791218A56DF0814A523EF6140
                                                                                                  SHA1:9660F398F01ED1E856EB88C3C7EE4DF56875FFE4
                                                                                                  SHA-256:FDA5F4C3C49C7DD89A973B85FD369286B174604BBA731777C6C84D10C688E135
                                                                                                  SHA-512:26ABDBAC88C09E847B9B005982D709D1CC0D6AEFC58D09D98944BD7A04CDB75A6DFAA2E3B573C837906BF2C15D19A3452396A2FFE31937196FC0A3701F71FA6D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....)............" .........H............................................................`...@......@............... ..............................................x...)...p.......P..T...............................................................H............text....-.......................... ..`.data...&-...@.......0..............@....reloc.......p.......^..............@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0.....I...C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .h.i.g.h.-.p.e.r.f.o.r.m.a.n.c.e. .a.n.d. .l.o.w.-.a.l.l.o.c.a.t.i.n.g. .t.y.p.e.s. .t.h.a.t. .s.e.r.i.a.l.i.z.e. .o.b.j.e.c.t.s. .t.o. .J.a.v.a.S.c.r.i.p.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Text.RegularExpressions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):530080
                                                                                                  Entropy (8bit):6.7790299482557845
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:ojaCSWfE1hvpmzn7z/HpVxn87bC/m+VvHKHhiKpwR4wcMPVZ22R3+yLAR6Bt:bW2Yzn7z/HpVxn87e/m6CHhUPVZ2qjLd
                                                                                                  MD5:E1BD563427583B969B5CD81AE03CF21C
                                                                                                  SHA1:F0951B08E22C3A111ED6551CFF96CA65BC68D5D5
                                                                                                  SHA-256:32BDA8FBC0E27628E5960023F9B3497474AD45BE38A26DB91DDCF994AEA58023
                                                                                                  SHA-512:AEF13497EC93C68AC4714FA6D1584BA3FFB05035483A1AD51F2F56272F530E4A8F830201151321DB85EA31E31EF86609FFD69115180931169CCC78FF8051305D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .....|...p......................................................."....`...@......@............... ......................................|...|).......(..........0)..T...............................................................H............text....z.......|.................. ..`.data....f.......h...~..............@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...V.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.e.x.t...R.e.g.u.l.a.r.E.x.p.r.e.s.s.i.o.n.s.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...f.....F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Channels.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):125208
                                                                                                  Entropy (8bit):6.6926595622420795
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:EWHXI3rkKaiG9fxBFXRPxlhzKhtTwg8AHWDV5ydNLnM:H33Z95BFXRplhOzwDDUNQ
                                                                                                  MD5:9FAC44D3F1D3714F6BCDECBC911BF634
                                                                                                  SHA1:F5FCA532CD5A29E9F41FE5FEEEB5CD1EABA42DFD
                                                                                                  SHA-256:6C05C1BF3E425FE11833522D910EC9474345102E794CB3C4A05377F28DEB0D5E
                                                                                                  SHA-512:262065DF3C55D85629E9A57AFFEC41E4DF8AF5577131F5318124AB8D9B68894A1EC8D788CAC0A25596C6D20B50B9BAC0D2DE9E5B098D034FC14CA9558D43F7D3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." .........*............................................................`...@......@............... ......................................T7...........)..............T...............................................................H............text............................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................8.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...t.....0.0.0.0.0.4.b.0...8.....C.o.m.m.e.n.t.s...P.r.o.v.i.d.e.s. .t.y.p.e.s. .f.o.r. .p.a.s.s.i.n.g. .d.a.t.a. .b.e.t.w.e.e.n. .p.r.o.d.u.c.e.r.s. .a.n.d. .c.o.n.s.u.m.e.r.s...........C.o.m.m.o.n.l.y. .U.s.e.d. .T.y.p.e.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Overlapped.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.7130883870672715
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6NB+HYCHjXuHVdHDH/WcwHWqYA6VFHRN7KmZR9zpvl:sQnhFClKmT9zH
                                                                                                  MD5:0571ACC76195386BB9D7FEFCF854C263
                                                                                                  SHA1:51C8E70BE147A9C82D49B26B5FBE9BD2EF8369CD
                                                                                                  SHA-256:0199A3E5BC94A8DDDD07EF619683B1831B13084BDCB44D30CDF959A567B69A59
                                                                                                  SHA-512:EF886BE55AEF9293A2259433C4FBB405F8BDA6A67025E235D612AC341B1A8AB3920A8B59F3E87E466300A8EC62C5813C6673F268311C967C98590061ACF2F17D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............"!..0.............n*... ........@.. ..............................-.....`..................................*..W....@...................(...`......\)..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................P*......H........ ......................P ......................................!.z.e'C.._.o..p..Z.b..K1.V.F.X...J..z..'F......d.+...0..."..._._.....k...m~^biT....l*......(......4y9.bV?P...Q.>...c.....vBSJB............v4.0.30319......`.......#~..x...H...#Strings............#GUID...........#Blob......................3......................................................4...........7.......c.........t.....}.......c...V.....{.................9.....................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Dataflow.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):505624
                                                                                                  Entropy (8bit):6.776900991764264
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:95En4vc03uPIhST/NO/bT8jM5REzxEQRChwMeVB8v3Gu/L2SJESGskfT5v3P4m9J:95sEqChwMyB8fGdSSvBb5v3xeNEd
                                                                                                  MD5:BE2332F27FECA6E279C382151EB1F6B1
                                                                                                  SHA1:31E2F490BA6EC094FC894480D18D62FDC32993B8
                                                                                                  SHA-256:A42B2F43B7CEA67E6ED83EAAF02A487EF22EE4891ED355654B899CE9C5D3062B
                                                                                                  SHA-512:05962BCCD50DA22CD9500C3F57D4AB86BD351AD6069F30B494E3DB7DB5841FC0689092DD2C7243A11A0A853B763121EE6CA9F3B3CD693B7D3FD6BD9F05234C98
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...(............." ......................................................................`...@......@............... ..................................l.......HB.......)..........x"..T...........................................................p...H............text............................... ..`.data...J...........................@....reloc..............................@..B............................................0.......................\.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........t.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...P.....0.0.0.0.0.4.b.0.........C.o.m.m.e.n.t.s...T.P.L. .D.a.t.a.f.l.o.w. .p.r.o.m.o.t.e.s. .a.c.t.o.r./.a.g.e.n.t.-.o.r.i.e.n.t.e.d. .d.e.s.i.g.n.s. .t.h.r.o.u.g.h. .p.r.i.m.i.t.i.v.e.s. .f.o.r. .i.n.-.p.r.o.c.e.s.s. .m.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Extensions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16048
                                                                                                  Entropy (8bit):6.806161371697177
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:sz05p091rcmeD9RhGWSgXWhX6HRN750gv/6fR9z+AnVRZdn:sgAkZ6W5O9zhnLn
                                                                                                  MD5:2E73D00493B815F11A05C3F63CD4C0DF
                                                                                                  SHA1:24EA414EEF67A44D342CBAB0E154E4A6F8AF1E7B
                                                                                                  SHA-256:CF03542DBC9EE66F39B1F7FF1F3C140FFDEB95995D852E2491EF347F291C2957
                                                                                                  SHA-512:C9A9446033D4948AAFD99BB22CFA2C9D877CFAFAE63709229C6D12CAF087BEC8FDE12E6AECDBCFBE646065CCB5C55C80927680DFE4DB74D8DC96A03565CBC8FD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................"!..0..............+... ........@.. ....................................`..................................+..K....@...................(...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................a.J..!....>..@..b..=..7u..E...D.b.......Y ~...s=,P&.A......n6.PX......@.._;.{f.....Gw.x.UY....Q......m..x..%J.3e.C.1.Q.W.)BSJB............v4.0.30319......`.......#~......8...#Strings....(.......#GUID...8.......#Blob......................3..................................................z...v.z.....H...............G.......[.....[...............]..........._...........9................./.z.....p.....

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.Parallel.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):139024
                                                                                                  Entropy (8bit):6.704071507025856
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:Sd+D1EGnNfGAKUDXxT3LBzdQZ4/FJg9G5jR291oVcJ5u5:u0yGNGAKUbxxzKZ0UaC5M
                                                                                                  MD5:871F001E647F2E6D7551532D9EE70D2D
                                                                                                  SHA1:54CF7E2831EE44826FC58235C3061CB51C2FEAFB
                                                                                                  SHA-256:5B1A7C891F6ADD857693B9714C56557F1001157F563E6FEF52379FA78EA5BFE8
                                                                                                  SHA-512:6D54B13688A72FA3291FA696B9525A4FAB7C50F35C35935F08AD5E326ECE4E15B4F1DE379F9B85BD69D543407662115ED26D94EB5C83E09CAE0DF2B644A61835
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...Q[U..........." .........*............................................... .......!....`...@......@............... .......................................;..(........)..............T...............................................................H............text...b........................... ..`.data....%.......&..................@....reloc..............................@..B............................................0...........................|.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...X. ...C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g...T.a.s.k.s...P.a.r.a.l.l.e.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...h. ...F.i.l.e.D.e.s.c.r.i.p.t.i.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Tasks.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17176
                                                                                                  Entropy (8bit):6.719573029193257
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:xKJvCj4AG3tNKouqFC+TD9WHszWhEX6HRN7tce2R9zEc1C:xKNCj4LNHuk9WfK9zHA
                                                                                                  MD5:197A66A19CA592B21A8FF96863C5F0C0
                                                                                                  SHA1:E6C06A1E76583E2DA4705EF43875F955296EB039
                                                                                                  SHA-256:0DAFA5A7D8311AA41E2E40CA3E279D8ED46B8723F7AC871ADD9FBC9CFD728292
                                                                                                  SHA-512:A01233DE285889C9577E632B20F882D695C99338200F31C832EB6C8468E81F5F01E497C576E831AB23EA2E4DF78D8A248443546FCA95BBA490792A043FF2AF09
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0............../... ........@.. ....................................`.................................h/..S....@...................)...`..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................./......H........ ......................P ........................................L...j......%g S.....|.1jvF'..V.Ht..E.>Zu.[.;M..U|..&..(.(V|]..............cn&z# Pzl.b...."......v.}..y..J=g.~..w.''H..BSJB............v4.0.30319......`...P...#~......|...#Strings....,.......#GUID...<.......#Blob......................3................................/.....Y.........\.7.....7...u.....W.......&.....t...7.....@...........[...................................|.............7...........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Thread.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.743184429618755
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:hz2EoZVkD4WcU7WlYA6VFHRN7zErtHNsAR9z/4K:FwuGFClzKts89zQK
                                                                                                  MD5:42EAEAB968F6373477713CA452CFAAEB
                                                                                                  SHA1:E0AD261919F5810907B3359E586A00EC80A94804
                                                                                                  SHA-256:B25C3DC708B65DE0393F7E450105A71B480F2A5D1F8CF0E8C8580E20A5FBCBB0
                                                                                                  SHA-512:26757C8388B3D2751138F136D25110AF43ECEAF4CD2F01D5D2F113E7990F0CB98C3832B767E91F283FA215394C278365CA19C5C397641F105B325B8088063FB8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0.............>+... ........@.. ..............................Ve....`..................................*..W....@...................(...`......4*..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ +......H........ ..d...................P .........................................~?....._h.ys.N.../.8..A......h.Y...Z...C..8..fW...$.........4v..\.48F.H.L.=..-7}...._..P.]..0?.$..}.d.xX.%\.......S.._MBSJB............v4.0.30319......`.......#~..........#Strings............#GUID...........#Blob......................3......................................].........U.@.....@...n.....`.............y...0.!...9.!.........T...................................u.............@...........

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.ThreadPool.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.696655038011177
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:duJ92HRT5BgWEIvWqYA6VFHRN7jD/6fR9z+AGs:duSPVFClw9zhGs
                                                                                                  MD5:31939565A9F07F3F49C54FAD45801A00
                                                                                                  SHA1:65BA7980289BD49EF02850CE99D8B3925DEB6CED
                                                                                                  SHA-256:6DE1F9CD04748D01103B2CBBEAF8E9FB671F9ACA79E8A1D68D741BA3FD504B72
                                                                                                  SHA-512:0874344B998AF7178A84AF77B9E855C9202957F6519204F7EA45D3DEAE080D46166695D8AB6ABE216C9E92EEB92FDC52A75D985ABB9921CEAA505DFDF072DF29
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8.U..........."!..0..............*... ........@.. ....................................`..................................)..O....@...................(...`.......)..8............................................ ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H........ ..D...................P .............................................0`<...Z%b*.D.\..\[$F...>..HX.h.DY.6.[.......f........./..C......O..S..#.&P....N....}..A..{E..'.....S.;6..|tY...yK.)BSJB............v4.0.30319......`.......#~..d... ...#Strings............#GUID...........#Blob......................3......................................P.........7...........P...........{.............................6...........p.......................W.....d...................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.Timer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15640
                                                                                                  Entropy (8bit):6.822464705364611
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:pf6juqM5MWMWsXCW/dX6HRN76y/7R9zb3J:MuaRW/F9z9
                                                                                                  MD5:E507D8F4299A16AEBDF20F8C226D7721
                                                                                                  SHA1:8D97F1AE505F72B59C939C55D4C0EFACD46D4525
                                                                                                  SHA-256:F3651DE4AEC67E4C937CB219AFD0C07B2338B8D8FAF3D3636B8C678C3E3DDC33
                                                                                                  SHA-512:84E9265E59B58BEC360FDBD9A17D1DD8BA2245FEA11DC66F352BB5ECECA3409AE5568B8A620FCB39F5F4E2FF046C7E11EAA492ADF386336EFA655BF3BC799383
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k............."!..0..............)... ........@.. ....................................`.................................T)..W....@...................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P .......................................@j.Q...FR.n...Y.......ja..Z$.P.......p..w.....(..*....#...?...xr....n.].(..Mm..iy..ws..h...t.7.\..u..u..k...C..I..+.<`<(.FBSJB............v4.0.30319......`.......#~..<.......#Strings............#GUID...(.......#Blob......................3......................................(........."...........;.y.........f.......C.................J...!.J.....J...[.J.....J.....J.....J...B.J...O.J...v.............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Threading.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):80160
                                                                                                  Entropy (8bit):6.552617630589504
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:xk5Rj1Ku+ydo98uGxdUJpRH7AveQWA3zg:xk5Rj3o9wxdUrKveQL3c
                                                                                                  MD5:B754A2BFD575ABDBA9F77D1D6BF6980E
                                                                                                  SHA1:1D21B27B5112887AB72DDE91691C69D87C8F3282
                                                                                                  SHA-256:6DAAD511BB06971C76A7007D31DB88013876A9BC07B899C78536770C1D901983
                                                                                                  SHA-512:85B9A08D7CA1279CA2EC579FBE48E9E5E4BB547D865BAEFCB37925D31453160E681E2A4B46231F6B315CBA0AA5892BAE4FC98CF882A708D1A8E4FB61A721F0CA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................" .........................................................0.......l....`...@......@............... ..................................d....*..\....... )... ..$.......T...........................................................h...H............text...K........................... ..`.data...............................@....reloc..$.... ......................@..B............................................0.......................T.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........l.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...H.....0.0.0.0.0.4.b.0...:.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.h.r.e.a.d.i.n.g.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...J.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.e.m...T.h.r.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.Local.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):351408
                                                                                                  Entropy (8bit):6.645438345682704
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:RtgASVaxfSelpxZvc/sQQHrnAIg5UotQKm9Wm:Ru1MfSel9cSbeusu
                                                                                                  MD5:6EB30716DB16FCAE13DE2878B364834F
                                                                                                  SHA1:FC5F0E68985BAD853CCCD4161240301F89BF1EBE
                                                                                                  SHA-256:1154CFA28DDD245FDF6A66CE66F9F2AEC217FA5CBE85FE43D24203BFCC8E9D56
                                                                                                  SHA-512:7829A405590415366DBFA82AE688728E0D42A844DACC0BC2BE6050223743FF896B92A43C1756BD2960F31B52154E2DD0A460C9059AA09B3EC82B223D642DCFB6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....a............" .........X...............................................P............`...@......@............... .......................................z...3...4...(...@.......*..T...............................................................H............text...N........................... ..`.data....O.......P..................@....reloc.......@.......,..............@..B............................................0...........................L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...L.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...T.r.a.n.s.a.c.t.i.o.n.s...L.o.c.a.l...L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...\.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Transactions.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17160
                                                                                                  Entropy (8bit):6.671296739666298
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:p5uFRferVWzniWQMYA6VFHRN7TbV2R9zEx0H:3uFRam0MFClnVK9zou
                                                                                                  MD5:D07CB5BEB58C160D2C91CD7BD180279A
                                                                                                  SHA1:4B8ED2324043AB385754645768735CC18381B484
                                                                                                  SHA-256:B1758317695CA37A11A6B28D6580BEAA3E24B84C31BFFE08268B1B9D1A3EF66E
                                                                                                  SHA-512:DFD5DE8F66D4B743E7633A4C7FDBDAA6A9AFA0D886B17540D0DC7991294554E1E37E6BF690BCEDABA6E2DE51620F01B87BF08AA5F4A42AB99DED342BCD46F473
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....x..........." ..0.............j/... ...@....... ...............................W....`................................../..O....@..x................)...`......8...T............................................ ............... ..H............text...p.... ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B................K/......H.......P ..h....................-......................................BSJB............v4.0.30319......l.......#~..d...4...#Strings............#US.........#GUID...........#Blob............T.........3....................................$...............f.O.....O...^.<...o.................H.....*.................+.......................r.....,...........D.$.....O.................6.....6.....6...).6...1.6...9.6...A.6...I.6...Q.6...Y.6...a.6...i.6...q.6...y.6.....6. ...6.....6...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.ValueTuple.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):15640
                                                                                                  Entropy (8bit):6.8271170909193595
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:ztCdcH/3WtLGW/0X6HRN73SVXC4deR9zVjoxE:zt1WcW3SVXC4dC9zVjGE
                                                                                                  MD5:F741922F1BE081E21EDA4B2914767B53
                                                                                                  SHA1:F9ED958AF5E6C03AF36B96B186CD7E401C4052AC
                                                                                                  SHA-256:8DA6AB511A6534D713978692672EC276F314A47CB5DDC14C86504AE60C2FEA47
                                                                                                  SHA-512:7F0FF4397FDA2F9431B7B6D9293CA67337F0A14BB6413657E5930444564CA9AD782BA9BCD8D58051DA9463C15FA976DDF6C468EE2AECF16461FE494C01EA20C8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."!..0..............)... ........@.. ..............................e.....`..................................)..K....@..h................)...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................)......H........ ..,...................P ...........................................:....z.5......c.1..xy..x...?.I.c...$.:~o....Q..h..c......b.E...Yi...P;...*............~.....gI'...]..w.y...M..x..j.C.{BSJB............v4.0.30319......`...@...#~..........#Strings............#GUID...........#Blob......................3......................................]...............%...................C.....s...Q.z.....z.....z.....z...4.z.....z.....z.....z.....z...........i.................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.HttpUtility.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53008
                                                                                                  Entropy (8bit):6.688774065052827
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:AwDvSbAkyFFQk7Y32OoPXCcPAhiTEp4zg:ASvSb0Fg2OdNhwXs
                                                                                                  MD5:F5962FB172B47E10C89F6C1B8D4783F9
                                                                                                  SHA1:62619E522B88328038800E6A38A0084E8F17E934
                                                                                                  SHA-256:917175687C1BD5869B905A142D63D22BAF42A8BA362096864DE7A66F69047EC1
                                                                                                  SHA-512:0771E5854C791BC839973E892A1CA90E1FFD3A3FD86D9D7C64FFDAA2A5D0B23EE4D1CB6C56DACADCBFD8F1D3416F4061226F9EAF861E4C020200E38730A082C2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d................." ......................................................................`...@......@............... ......................................\!...........)..........8...T...............................................................H............text.............................. ..`.data...&...........................@....reloc..............................@..B............................................0...........................<.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o...x.....0.0.0.0.0.4.b.0...F.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...W.e.b...H.t.t.p.U.t.i.l.i.t.y.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...V.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....S.y.s.t.

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Web.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16136
                                                                                                  Entropy (8bit):6.716371448586581
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:3EBNDT7WV9o9W4YA6VFHRN7KS9/7R9zb3p:3uxdFCl1F9zF
                                                                                                  MD5:3963AEC41EFA623195DC1B54BCADE00F
                                                                                                  SHA1:248D5777CB7DADB14613AA943120FE5DCC83315E
                                                                                                  SHA-256:5AA37A176F95A69D752260EF02DFDA1032BC2874232C4F6136CDD63B97A122D6
                                                                                                  SHA-512:07F393245A075E135C33EB7DE8E4432EA8AB3128CC6584019389EFE484C0BE921E6162F86ACA7A634C1482ED1E23EAA92686CA4543D1B2F9BC17AE32A3290370
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,............." ..0.............z*... ...@....... ....................................`.................................%*..O....@..8................)...`......X)..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B................Y*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....0.......#US.4.......#GUID...D...D...#Blob............T.........3....................................................6.Y.....Y...X.F...y.......................$...........o.......................V.....l.................>.......Y.................@.....@.....@...).@...1.@...9.@...A.@...I.@...Q.@...Y.@...a.@...i.@...q.@...y.@.....@. ...@.....@...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Windows.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16664
                                                                                                  Entropy (8bit):6.684122110106261
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:dyaMtw0IWEXSWKkX6HRN7YDcTR9zi2elD:nldrWYAV9zpeB
                                                                                                  MD5:82991C800672C8C8F6EBE3E91C497480
                                                                                                  SHA1:43FB34B32C01418A5B58C093CBB87C6775601B2C
                                                                                                  SHA-256:5E7316F534DD1E38D31F780C962DD66A208C985766C4B9368EB8CABE550B04DA
                                                                                                  SHA-512:407E343770005B1D15FE2DA8EB6EA04D4537FE817A71B4010FC638620DA236FD0C56A1D097774D5CB74FB141888C3793FCADD438E64CB49D27308F491B94BDE3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...aT............" ..0..............,... ...@....... ....................................`..................................+..O....@..X................)...`.......+..T............................................ ............... ..H............text...4.... ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ..4....................*......................................BSJB............v4.0.30319......l...h...#~..........#Strings............#US.........#GUID.......@...#Blob............T.........3......................................................Q...&.Q.....>...q.......D.........m.....y.................P...................................4.............Q..... ...........8.....8.....8...).8...1.8...9.8...A.8...I.8...Q.8...Y.8...a.8...i.8...q.8...y.8.....8. ...8.....8...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Linq.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16648
                                                                                                  Entropy (8bit):6.676823175680729
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:KhMvGUhsO/IOW1l4WOpWjA6Kr4PFHnhWgN7acW6ZusyttuX01k9z3A1ipuI:jRsYIOW1l4WOYA6VFHRN77gSR9zWipN
                                                                                                  MD5:9B199D5A54F72278382972497F097E1C
                                                                                                  SHA1:2FC93773CE859318FEA293E1553616E5545D1973
                                                                                                  SHA-256:ADA298EE6BAE973FD1CC6E010B0DF89A137E144EDB6BF2B2EB8F5C9F516B0767
                                                                                                  SHA-512:30E4917B014728E28B5C21A91BD1F0DA27D09083576E6E4091B19E61CA7E7F199EB568B82DD94F5A2AF9EF02211231395D3C39B4874E4B81F217972995350845
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............,... ...@....... ...............................+....`..................................,..O....@..X................)...`.......+..T............................................ ............... ..H............text........ ...................... ..`.rsrc...X....@......................@..@.reloc.......`......................@..B.................,......H.......P ......................(+......................................BSJB............v4.0.30319......l...l...#~......<...#Strings............#US.........#GUID...(.......#Blob............T.........3..........................................f...........+.....+.........K.......;.....z...d.....p.................G...................................+.......).....+.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.ReaderWriter.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22296
                                                                                                  Entropy (8bit):6.362401884446514
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:u125qkxK67ex4FCcuRW1dAWepX6HRN7FR9zRYeb7V:UKLPfIWX9zf
                                                                                                  MD5:A3A7DF1630D2F94A404911C42EC86548
                                                                                                  SHA1:A36036B911CE2E458E0CF3D7F88DC21C6C745252
                                                                                                  SHA-256:7CC3FB7B986824999BFA8495606B73FDB2BF4FA550B2B2969087D7A3A438129A
                                                                                                  SHA-512:0465AEE62552F9BA8F4B10236479749929923B052889A91802FEBE2001E5B27A1579791F584172EA651615CB597B50B78049859029960153BB78F147ECC35E8B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U............."!..0..$...........B... ........@.. ..............................2.....`.................................LB..O....`...................)...........A..8............................................ ............... ..H............text...."... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................B......H........ ... ..................P ......................................$..U...,-....d.l..a.../'.....&.~..ci..@O88.2.S&....u\1.a...N..t......../+B.<O.M..*T7...8.4....t..T...U.....a`.......BSJB............v4.0.30319......`.......#~......8...#Strings............#GUID...(.......#Blob......................3............................................................G..... .......b.....i...f.....-.........................................[...............................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.Serialization.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16664
                                                                                                  Entropy (8bit):6.740295761391647
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:s77MLW7MWEqHWdeX6HRN7V5HtcTR9zi2eN4:sfMkpEq3WVFWV9zpem
                                                                                                  MD5:F816E514999F8058A7314CB848A829C2
                                                                                                  SHA1:9E2B4CC7AEAB7DEA40FE839A1F60BE83092A62E2
                                                                                                  SHA-256:B3D731DBDD4690E8EE2C2DDF3863DF96EFC075048A2014CF27FCB15826E9A354
                                                                                                  SHA-512:4B1C5D989D04CC8B790A98A3B658B657E331F7196EB67DF1E83E6915792677971CA222CB51F692DFF79D712378E49ABDFB77E716C37BAEB5985F73656AE58287
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............." ..0..............-... ...@....... ..............................kY....`..................................-..O....@...................)...`.......,..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l...x...#~..........#Strings............#US.........#GUID...........#Blob............T.........3..........................................p.........$.F.....F...r.....|.......<...............*...........]...........0.....M.....D.................s.....D.....x.F.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16152
                                                                                                  Entropy (8bit):6.763138114329992
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3rxp3W/edW4WpWxNzx95jmHnhWgN7acW7lwKUWX01k9z3A/bsi:1p3W/edWFSX6HRN7b2R9zEN
                                                                                                  MD5:4A97F6106712E9C5EEF01AE7B67266E6
                                                                                                  SHA1:2F22F7990DD4071D32DDAEA2540F82226DCDE930
                                                                                                  SHA-256:D125080F4D56BBFB3D41F40AC47A5D24C7C62EF52442D1219A0076DEB4C9AB72
                                                                                                  SHA-512:95D7E51BD942B999BA03A0132B1CFC89DF677646A0DFE18D4A64A81DC4336170A47B7CEA5FAD6133530CCA7C13D54293D35C37D2A7DD93F957AF52BC570A20D9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....1l..........."!..0..............+... ........@.. ...............................7....`.................................L+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ......................................uL....M..*2.....L..L.1./.......6.u.?......L..DK.^...jp.K..:..i.K._.re.Iq.`b.7....C]..y.j`U..Of.!..f....|)..n..$..\....o.3vJBSJB............v4.0.30319......`.......#~..l.......#Strings............#GUID...,.......#Blob......................3................................................L...............................8.....L...p.L.....L.....L.....L.....L.....L...l.L.....L.............................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.XDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18080
                                                                                                  Entropy (8bit):6.63523384035834
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:tW0TeWp4DT8VGTYA6VFHRN7dJ/R9zphxF:Rp4DAqFClHZ9zj7
                                                                                                  MD5:1A0C9FD9FF7364B200A5A3A4F7697575
                                                                                                  SHA1:642B759B7F295B75C383C32E9A14E6662CEBF8D3
                                                                                                  SHA-256:13BC6FAF450D3EFAD855E2C18BD0A042C2F19F71BD4A6624F932D644819D336F
                                                                                                  SHA-512:F59563D3779A01F6199657F813CE9C598368AF918DBBF3CB91A0AC5CC1887D8A2E36BFD67A2CE10568D7DB942CF1F60DBC1B9048AB05A7BE4DCEB5BC4361E625
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...?P|..........." .........................................................P......n.....`...@......@............... ......................................0...H........(...@......P...T...............................................................H............text............................... ..`.data...?....0......................@....reloc.......@......................@..B............................................0...........................\.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O..................z........ .?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...N.....C.o.m.m.e.n.t.s...S.y.s.t.e.m...X.m.l...X.P.a.t.h...X.D.o.c.u.m.e.n.t.....L.....C.o.m.p.a.n.y.N.a.m.e.....M.i.c.r.o.s.o.f.t. .C.o.r.p.o.r.a.t.i.o.n...^.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n.....

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XPath.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16032
                                                                                                  Entropy (8bit):6.708050473788568
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:2/lRiA6fDOxDWB4vWifYA6VFHRN7JKDX+iR9zZOdih:OPKkTFClJKDuO9zS+
                                                                                                  MD5:3EA28D1CFA9BC0837699982788065BB8
                                                                                                  SHA1:6567890ED00E87AAC9FC908B08FD47C9DF5C3382
                                                                                                  SHA-256:6C6099617CBFA7F072F1DFA910002C19FC53F6F6F25C3440368B55184B4FB00B
                                                                                                  SHA-512:51583767F241F621CA480986C044358059AD1419FD78F142BD4DBE32F9C154FAC736BA4E05ECC94C3817D5DC77D21AF0B5B9308952F0DA9E343939965260221B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r............"!..0..............*... ........@.. ....................................`.................................|*..O....@..h................(...`.......)..8............................................ ............... ..H............text........ ...................... ..`.rsrc...h....@......................@..@.reloc.......`......................@..B.................*......H........ ......................P .........................................0v+.....W.....7.,.U.6.?#O.(F@.)2.....v.a.p...X.....&[.:.q.6........<..,A^.w.wU......#..fx....5.-..2..J......6f...=rBSJB............v4.0.30319......`.......#~......\...#Strings....X.......#GUID...h.......#Blob......................3......................................'.........C...............................d...%.{...g.{.....{...|.{.....{.....{.....{...c.{.....{.............................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlDocument.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16152
                                                                                                  Entropy (8bit):6.788762477043187
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:6RGxGfj14WA9pnPUWoWhWxNzx95jmHnhWgN7acWyILyttuX01k9z3A1iGHl9CN:ksGfjiWeJsW1KX6HRN7A2SR9zWi49M
                                                                                                  MD5:A8C4B4B883ABD397C940CCA54E6BE11E
                                                                                                  SHA1:E01F75FC94F7B6A01985A750A65966C0231B8FE8
                                                                                                  SHA-256:56CFB3A3DC6876128F9404DA3B80242FADD11B8996D4AF39652BB408A0076451
                                                                                                  SHA-512:5E5A0978570ACD51C1DFD41413D15243420119B09AF829449EBDA7BFF688A9F1922B156068B8F88F013830265164677B61FD330EE3E81AFDA29A5774B1AF77D1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q............."!..0..............+... ........@.. ..............................z.....`.................................|+..O....@...................)...`.......*..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H........ ......................P ........................................^...K=....T..t..R.(Q.'.V.K...<.pR.!G.....c`...c2.CyM..V.xuH...xv3(.IM]7...^r.R.<..q..3w2M.J......j..0..)..!{.1H..Z..7BSJB............v4.0.30319......`.......#~..\.......#Strings....H.......#GUID...X.......#Blob......................3......................................#.........P./...../.........O.............\...2.....g...................................p............./.......................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.XmlSerializer.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18200
                                                                                                  Entropy (8bit):6.622578908813458
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:1e7gLgTJNTXxhuuWpovWAWGWxNzx95jmHnhWgN7acWAYzyttuX01k9z3A1if37:Q08rBhPWpovWNNX6HRN79SR9zWi/7
                                                                                                  MD5:E9B2D64A6720117CE7AA1163D2BF6C70
                                                                                                  SHA1:B54E1A857603CB0EE0942BA9361C569EFE407FE3
                                                                                                  SHA-256:A26D2CE64BD85D4A33404F896AD6B52C2EA0429DCF87E47C62EFC81828C00B5D
                                                                                                  SHA-512:E56E4B8F27D87D6FD96CDCF277A1BF7FC06B37BB9D444050390B0EE401E8A28221077B5B8AE15F8666C04AEEBA957E44BDB2733DF71ED118EB3B269DF6F4D42F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ZG..........."!..0..............3... ........@.. ....................................`..................................2..W....@...................)...`...... 2..8............................................ ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................3......H........ ..P...................P ......................................2......R7..K!..%...].l(% ......K......!....3...X.......6..p$../.'t...n..p/.:..B.|....X.....vly'e...3..=m#.k-E8C.%u....BSJB............v4.0.30319......`.......#~..(...p...#Strings............#GUID...........#Blob......................3................................J.................................+.....F...........N.....H.........................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.Xml.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24848
                                                                                                  Entropy (8bit):6.215678969244202
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:DV/Mc95qohA8bhUVGKOudE6WK9jsWSYA6VFHRN7qCKN9R9zmwje7pk:DV0chOpfsFClqCk9zLjUO
                                                                                                  MD5:0E9B0C0CBF26962F5E9170E8CBEDB4D8
                                                                                                  SHA1:C524BEB25F7F9F4B7421C76E0F93546B239F0F64
                                                                                                  SHA-256:A5694C5A91559559BD8510F6906282EB640512C5B76EA2C08A56166181706AE0
                                                                                                  SHA-512:7F86D23616637175B695DB604C60B4D6488104E474A6A1E118DEDD3A24722B0CF2190A6FFE509A451073EE68EB99CC0C7557486C1469A35DFE9098795D5CA222
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.6..........." ..0..............L... ...`....... ....................................`..................................K..O....`..8............8...)...........J..T............................................ ............... ..H............text....,... ...................... ..`.rsrc...8....`.......0..............@..@.reloc...............6..............@..B.................K......H.......P ...*..................lJ......................................BSJB............v4.0.30319......l...@...#~..........#Strings....L'......#US.P'......#GUID...`'......#Blob............T.........3..........................................P............... .................k.....H...........S.................G...................................+.....m.S...0...................x.....x.....x...).x...1.x...9.x...A.x...I.x...Q.x...Y.x...a.x...i.x...q.x...y.x.....x. ...x.....x...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):50976
                                                                                                  Entropy (8bit):5.747340839729143
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:bQuoy1c6A2ZX8TRNH5JVbOd502zq1TntVaO6fWRHDRxw9zbkG:bQuoO3ZX8Q5jzC3azfWtIzIG
                                                                                                  MD5:F4AA8DA1F6C1EA181899961A43E94611
                                                                                                  SHA1:8B4F2CA7CCD76D8D51710E1ACB9DB77FAECCF76F
                                                                                                  SHA-256:6AE23353B15E629F945EB03DE5FA3E14F264518CBA9B3872F98EB23DEBFB6B19
                                                                                                  SHA-512:7432D12F9840ED710F6FE68CCFD5FB7321FD93FA4384144336B5F79EB6903CD461261FDDE16D16A7446853FA4BF3EE77114BE201FEB433CFAB069F71590C567A
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\System.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ..............................4.....`.....................................O....................... ).............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......P ......................`.......................................BSJB............v4.0.30319......l...$;..#~...;...R..#Strings....4.......#US.8.......#GUID...H.......#Blob............T.........3................................/......................=.....=....J=...=......V...}.....h.. ..... ..... ..J.. ..... ..... ..... ..1.. ..j.. .., AF..a.AF.....R..e..=.................;.....;.....;..)..;..1..;..9..;..A..;..I..;..Q..;..Y..;..a..;..i..;..q..;..y..;.....; ....;.....;..

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\WindowsBase.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):17168
                                                                                                  Entropy (8bit):6.671236708882877
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:gpmduasEWQ9EE6rWVZcW4YA6VFHRN7I2IR9zqIcx:g0dJnxCFClrU9zY
                                                                                                  MD5:9C24FB2625D3BE532FE098126BD60FF6
                                                                                                  SHA1:336F6676FBB339867B1F147679E825222C0BA51D
                                                                                                  SHA-256:3CFF84BE953E9791D90CFAC5B97913DD04D88BEBD5DAB42E650D6C102891B686
                                                                                                  SHA-512:E493486CFD2C5AC9206F7FF0EEC2A59FC1051200A576C0E69B067411E51F606D3E2D0D89F4DB8FFB0B8BB79C4A38ABF971AB35D335DC4F5CAF63E27BA37275EE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d..........." ..0............../... ...@....... ...............................R....`.....................................O....@..8................)...`.......-..T............................................ ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`......................@..B........................H.......P .. ...................p-......................................BSJB............v4.0.30319......l.......#~..$.......#Strings............#US.........#GUID.......D...#Blob............T.........3..........................................f.........3.................'.....0.......v.....................l...........I.....f.....S.............i.....i................. ...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y......... .............

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.459775574843526
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:SOQWvhW/WYnO/VWQ4SWc0NsxZAqnajT9CJIC:SjWvhWvUsNs/Al39AL
                                                                                                  MD5:681C84FB102B5761477D8DA2D68CD834
                                                                                                  SHA1:FD96CF075A956FBC2B74E1ECC3E7958163B58832
                                                                                                  SHA-256:F0F7CB2A9FFCCB43400DB88D6BF99F2FCC3161DE1AC96C48501D4D522C48C2CA
                                                                                                  SHA-512:C41A62F8D10290215B8A7F0DDCC27A1CF12A7453C2DAABEF75BD2CE87C4FFC87D74EDC8CAA1771BEDA0BFA26249CFE3C94D4AF50B22A5DECB6D282BD8A2C4BDD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...B4............" .........0...............................................@............`A........................................p...,............0...............0...!..............p............................................................................rdata..t...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-2-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20960
                                                                                                  Entropy (8bit):4.499619700582879
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:L6WvhWFWYnO/VWQ4SWssAtkqnaj6M07i5CK:+WvhW1UslWMui57
                                                                                                  MD5:039D612693E56CCF32AE81C99443EA77
                                                                                                  SHA1:0487AA5E7D283A8840F3005D1E24E8C9ED140974
                                                                                                  SHA-256:4E978EE035B72032D0B7693E09EED6E112DCED6965780BC3E6B8E024EA2366AB
                                                                                                  SHA-512:FFA56C73E977FFCEF7890AB6C3EC52E9827AF28B0552F11C48BB7CA16D37C2B7069FB7E03CEFB89F8679E3755BCC8C47344D0D9B91416C6D92CA7DB28C20240A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....=.........." .........0...............................................@...........`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20952
                                                                                                  Entropy (8bit):4.308560743366262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:1WvhW/WYnO/VWQ4yWxK2fvXqnajeCqN+6:1WvhWvU8XlX0
                                                                                                  MD5:2A8065DC6E6E60FB90B4B3F9E6BA7288
                                                                                                  SHA1:400A1F44CD4354DEA0117E79EC04B006D6141B36
                                                                                                  SHA-256:55E5F10D0DD9C85FF1C6DC7798E46B3A4422FB7EBC583BB00D06A7DF2494397B
                                                                                                  SHA-512:787E033E35AA357263639D97FDFE8A2EBC9F17865579BE13C14C0A4C2ED99432ED8EA79C5046D1B4B783BF5FCF7B713EFDD70FCA8445A7AFCB91CFDDC7F9D442
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...FBe..........." .........0...............................................@.......,....`A........................................p................0...............0...!..............p............................................................................rdata..X...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-debug-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.314779945585029
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:JWvhWiWYnO/VWQ4mWAyTIl1PXEKup3JdqnajKsztG2:JWvhWYUQI/PX7aJdlGsztG2
                                                                                                  MD5:720DB2235C4193151FF8987F8A729135
                                                                                                  SHA1:038648798892203B506AB4664BAECA25F78BC43C
                                                                                                  SHA-256:092B72832C47F9C4EDCDE61F1A111C20EB73452984E0A6109482DE74EB03C34D
                                                                                                  SHA-512:CAAC89DC4FE10E7752B6F248623B34A47A77A750E62F0A558C760A8AD672D980AFC966A9E5696BA5C916E722FD221D305C4D2C49D5DDA0E4A768855886D4F3CA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...@4............" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.363620943088422
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:9m7xeiImxD3exWvhW5WWYnO/VWQ4mWACJXEKup3JdqnajKsztJ30:9m7xeiIFxWvhWuUkX7aJdlGsztd0
                                                                                                  MD5:ECDD006AAE56427C3555740F1ABFA8D6
                                                                                                  SHA1:7DFAB7AD873544F627B42C7C4981A8700A250BD4
                                                                                                  SHA-256:13BC8B3F90DA149030897B8F9F08D71E5D1561E3AE604472A82F58DAB2B103F9
                                                                                                  SHA-512:A9B37E36F844796A0FE53A60684BE51AB4013750BB0B8460C261D25FA5F3DE6CE3380044DDC71116825D130A724DF4BA351C2CFFCBF497EF1B6C443545E83F1C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......v.........." .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-fibers-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.2939305898439235
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:8gWvhWliWYnO/VWQ4mWCkJZH2vArqnajKsbTYjtZ:NWvhWlYUDuH24rlGsbTY5Z
                                                                                                  MD5:EB065ED1B5CABDBB90E2403B8564778F
                                                                                                  SHA1:5B511215EE0E347734FB727FAD6A0A959FF81BF1
                                                                                                  SHA-256:BB2D740333AFAEA2A73A163F95FA102D018CCD68DEF28B6815A2BE0696AB57DB
                                                                                                  SHA-512:E5FF38F28253FB31BF583131E23EF58AF60020AD1FB329986C8789FE351F4B73CB06109FBC4220678D93191B04DB353466F728534AA1FEBEDF150C491B8E7C65
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....cc.........." .........0...............................................@.......o....`A........................................p................0...............0...!..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25048
                                                                                                  Entropy (8bit):4.628757275210407
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:1mtaNYPvVX8rFTsvWvhWmWYnO/VWQ4yW9AfvXqnajeCqKW:8PvVXhWvhWMU7XlX7W
                                                                                                  MD5:36277B52C64CC66216751AAD135528F9
                                                                                                  SHA1:F2A6740BA149A83E4E58E1E331429FA3EB44FBA0
                                                                                                  SHA-256:F353B6C2DF7AADB457263A02BCE59C44BBAB55F98AE6509674CFBC3751F761B9
                                                                                                  SHA-512:BE729194A0A3C4D70A6FFA8DE5C7F8BB3DDA1F54772F9AEFF4B9AA1D6756720D149613C5DCB911286B6C0181A264A4A2A8A4EB848C09AC30BA60B6FD10DD64C9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...!..e.........." .........@...............................................P............`A........................................p................@...............@...!..............p............................................................................rdata..L........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l1-2-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20960
                                                                                                  Entropy (8bit):4.328858083322922
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:IAIEWvhWLIQWYnO/VWQ4eWletp80Hy5qnajsBk9:I5EWvhWLI+UJpslE8
                                                                                                  MD5:D92E6A007FC22A1E218552EBFB65DA93
                                                                                                  SHA1:3C9909332E94F7B7386664A90F52730F4027A75A
                                                                                                  SHA-256:03BD3217EAE0EF68521B39556E7491292DB540F615DA873DD8DA538693B81862
                                                                                                  SHA-512:B8B0E6052E68C08E558E72C168E4FF318B1907C4DC5FC1CD1104F5CAE7CC418293013DABBB30C835A5C35A456E1CB22CC352B7AE40F82B9B7311BB7419D854C7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@......p.....`A........................................p...L............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-file-l2-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20960
                                                                                                  Entropy (8bit):4.41968362445382
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:lC+WvhWRWYnO/VWQ4SWHvD480Hy5qnajsBkffy2:4+WvhWRUGEslECl
                                                                                                  MD5:50ABF0A7EE67F00F247BADA185A7661C
                                                                                                  SHA1:0CDDAC9AC4DB3BF10A11D4B79085EF9CB3FB84A1
                                                                                                  SHA-256:F957A4C261506484B53534A9BE8931C02EC1A349B3F431A858F8215CECFEC3F7
                                                                                                  SHA-512:C2694BB5D103BAFF1264926A04D2F0FE156B8815A23C3748412A81CC307B71A9236A0E974B5549321014065E393D10228A0F0004DF9BA677F03B5D244A64B528
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....mR.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-handle-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.329081455517674
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ZfWvhWPWYnO/VWQ4SWR7me4qdsxZAqnajT9CRixc:ZfWvhW/UNezs/Al39wiO
                                                                                                  MD5:3039A2F694D26E754F77AECFFDA9ACE4
                                                                                                  SHA1:4F240C6133D491A4979D90AFA46C11608372917F
                                                                                                  SHA-256:625667EA50B2BD0BAE1D6EB3C7E732E9E3A0DEA21B2F9EAC3A94C71C5E57F537
                                                                                                  SHA-512:D2C2A38F3E779AC84593772E11AE70FC8BCFD805903E6010FE37D400B98E37746D4D00555233D36529C53DD80B1DF923714530853A69AA695A493EC548D24598
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@......=.....`A........................................p...`............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-heap-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20960
                                                                                                  Entropy (8bit):4.447714045651854
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:gxlAWvhW5EWYnO/VWQ4SWArSZBUuUgxfzfqnajmGYjB:gxlAWvhW5yUbSsIrlStjB
                                                                                                  MD5:2EDC82C3DA339A4A138B4E84DC11E580
                                                                                                  SHA1:E88F876C9E36D890398630E1B30878AF92DF5B59
                                                                                                  SHA-256:E36B72EAFFFFFB09B3F3A615678A72D561B9469A09F3B4891ABA9D809DA937A5
                                                                                                  SHA-512:6C1B195B2FABE4D233724133AE3BDF883F287B5ECD9639A838AD558159A07E307E7AE5E5407CE9229DCCDE4BE2CC39EC59506A5FB73B45D04B80330B55E2B85C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...)\Ix.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.368970650031484
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ODWvhWJWYnO/VWQ4mWbAcH2vArqnajKsbTY3:ODWvhWJUrcH24rlGsbTY3
                                                                                                  MD5:215E3FA11BE60FEAAE8BD5883C8582F3
                                                                                                  SHA1:F5BF8B29FA5C7C177DFEC0DE68927077E160C9AB
                                                                                                  SHA-256:FBB9032835D0D564F2F53BBC4192F8A732131B8A89F52F5EF3FF0DAA2F71465F
                                                                                                  SHA-512:C555698F9641AF74B4C5BB4CA6385B8D69D5A3D5D48504E42B0C0EB8F65990C96093687BC7EE818AA9C24432247AFAD7DF3BF086010A2EFCD3A1010B2FCD6A31
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@......5.....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.601897142725442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:pTvuBL3BBLxWvhWcWYnO/VWQ4mW74j21EhqnajKsxX+:pTvuBL3BXWvhWKUBqslGsxu
                                                                                                  MD5:9A8AB7FE8C4CC7604DFF1FBFA57458AA
                                                                                                  SHA1:68ED7B6B5191F53B50D6A1A13513DB780AB19211
                                                                                                  SHA-256:E9A3D7F8A08AB5BC94ACB1EC1BFFDA90469FEC3B7EECDF7CF5408F3E3682D527
                                                                                                  SHA-512:05DAEABBCDE867E63FDE952213FFF42AF05E70AE72643C97060A90DCEA2A88B75947B6F503CB2C33938AFE36AD1BAFBA5008C1BBE839F6498CDA27DA549DAEE9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...P.1..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..`...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-localization-l1-2-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20960
                                                                                                  Entropy (8bit):5.116096564588074
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:6naOMw3zdp3bwjGzue9/0jCRrndbDWvhWfUCBoliM:POMwBprwjGzue9/0jCRrndbwIJY
                                                                                                  MD5:DE5695F26A0BCB54F59A8BC3F9A4ECEF
                                                                                                  SHA1:99C32595F3EDC2C58BDB138C3384194831E901D6
                                                                                                  SHA-256:E9539FCE90AD8BE582B25AB2D5645772C2A5FB195E602ECDBF12B980656E436A
                                                                                                  SHA-512:DF635D5D51CDEA24885AE9F0406F317DDCF04ECB6BFA26579BB2E256C457057607844DED4B52FF1F5CA25ABE29D1EB2B20F1709CF19035D3829F36BBE31F550F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....3..........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-memory-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.483681194749599
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:WqfWvhWoWYnO/VWQ4mWKNe4XEKup3JdqnajKsztPO/B:WGWvhWWU9X7aJdlGsztP2
                                                                                                  MD5:7DDDA921E16582B138A9E7DE445782A0
                                                                                                  SHA1:9B2D0080EDA4BA86A69B2C797D2AFC26B500B2D3
                                                                                                  SHA-256:EF77B3E4FDFF944F92908B6FEB9256A902588F0CF1C19EB9BF063BB6542ABFFF
                                                                                                  SHA-512:C2F4A5505F8D35FBDD7B2ECA641B9ECFCB31FE410B64FDE990D57B1F8FD932DFF3754D9E38F87DB51A75E49536B4B6263D8390C7F0A5E95556592F2726B2E418
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...dIx..........." .........0...............................................@.......:....`A........................................p...l............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20960
                                                                                                  Entropy (8bit):4.417647805455514
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:RWvhW0WYnO/VWQ4SWKeE+Ztc80Hy5qnajsBkUqS:RWvhWiUxslE5qS
                                                                                                  MD5:BF622378D051DB49BDC62ACA9DDF6451
                                                                                                  SHA1:EFD8445656A0688E5A8F20243C2419984BB7743E
                                                                                                  SHA-256:0BFEDB0D28E41E70BF9E4DA11E83F3A94C2191B5CD5DD45D9E9D439673B830CE
                                                                                                  SHA-512:DF32D34C81FDE6EEF83A613CE4F153A7945EECFB1EC936AC6ED674654A4E167EC5E5436185B8064177F5F9273D387CA226C3C9529591180250A9C5C581EC6F70
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....2............" .........0...............................................@.......p....`A........................................p................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.6126507489483375
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:qF3qWvhWQWYnO/VWQ4SWL7JJsxZAqnajT9CgsLam:qF6WvhW+UA7s/Al39wR
                                                                                                  MD5:A56E3E2AA6398CCB355C7CDE81CCB6E5
                                                                                                  SHA1:A26273DD41DB7B63D3A79ACF6F4F3CF0381A8F02
                                                                                                  SHA-256:25AF1BC31C4A3FB9F1036C9AA51CB0AE8899C499B3EEF4CF7281515C1EA27B47
                                                                                                  SHA-512:3D5CEC9E5B42724794282974F637B1FDA8C26ADF01ED19DD2EC4F940E01CD43BDC42E46DC3E62704E62553DE96D3FEA1616C9650AF73CDB557DFCA1B52051A64
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.978924663768967
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:Hck1JzNcKSIGqAWvhWTUpDX7aJdlGsztMs:3cKSswKz7aJGps
                                                                                                  MD5:82159E8D92E38C4F287EB9420DCF1F9F
                                                                                                  SHA1:2E4436DBE18D943416A388777D05BFE5CB553DE7
                                                                                                  SHA-256:0D22CE9D987EFD6886A8DE66A6A678C287D29B15963B4373F73D79DDE42C9827
                                                                                                  SHA-512:DCEF1E0C7916C8CD08148962949A996FFC5D46B899CD82DFBCD9BB1BC614622BC8997F1E7D3C4E3D75F2DF07540A4C17F39477CFE97BA7F0BD280CDD52E06F91
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......Y.........." .........0...............................................@.......K....`A........................................p................0...............0...!..............p............................................................................rdata..4...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.513848472591714
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:pwQpUwzDfIeOWvhW9WYnO/VWQ4+WWXtplsxZAqnajT9CGl:pZDfIeOWvhWNUFbls/Al39Hl
                                                                                                  MD5:74C264CFFC09D183FCB1555B16EA7E4B
                                                                                                  SHA1:0B5B08CDF6E749B48254AC811CA09BA95473D47C
                                                                                                  SHA-256:A8E2FC077D9A7D2FAA85E1E6833047C90B22C6086487B98FC0E6A86B7BF8BF09
                                                                                                  SHA-512:285AFBCC39717510CED2ED096D9F77FC438268ECAA59CFF3CF167FCC538E90C73C67652046B0EE379E0507D6E346AF79D43C51A571C6DD66034F9385A73D00D1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...%p_W.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..,...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-profile-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.293598211920456
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:dWvhW/WYnO/VWQ4SWYujPUsxZAqnajT9Cl36:dWvhWvUgMs/Al39Eq
                                                                                                  MD5:D6F37B232E3F2E944EBCF53A662E852F
                                                                                                  SHA1:C10839E941444ED79C2314F90DA34E5742F4E514
                                                                                                  SHA-256:5E6AD9502C8411F29BC072EFD08C4FCD09BC3367814269DEDA74A78536FB8375
                                                                                                  SHA-512:6E0CF1021EF3FF31895D2B6A9E72084EBE52DE4201D317B12FB8B05A7B1946FDEF65D2B046F8FB25189D3A94F70726121F2E8EAC8239C00EE02EF5EAF57F21C5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata.. ...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20960
                                                                                                  Entropy (8bit):4.469567491280211
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:aGeVTg6WvhWGWYnO/VWQ4SWupBd80Hy5qnajsBkt2NjY:aGeVTg6WvhWsUldslE8+Y
                                                                                                  MD5:6397D5CC116D884D31552F613F748556
                                                                                                  SHA1:B76B19FE4D3D5D26D2DEE1983D384E26D961180E
                                                                                                  SHA-256:40EB38D84DFD13C8A58211B8273C4B4965148742F08EB6FE8B0830392C37ABC1
                                                                                                  SHA-512:4449DA9BAA3F722EB274AC527125F5918A17BC94B243849A0A44F3463E35F368339A58A6AA1E08B83D54D13538C0D52BFCB452A48B8B9A52961BF136256D220E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....C}.........." .........0...............................................@.......T....`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-string-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20960
                                                                                                  Entropy (8bit):4.375396134710155
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:v0yyMvJWvhW4WYnO/VWQ4SWQwwV80Hy5qnajsBkrfFIf:zyMvJWvhWmUAIslEAfFI
                                                                                                  MD5:D2D7458AB838E738B54FB4D6FA490BF6
                                                                                                  SHA1:0CFC5659B23A35C987B96CABBC0D10325316385D
                                                                                                  SHA-256:285A481D7BA9859CC28BEDEDD8F05A90BD648A34D66B8C797118920B40E15E4E
                                                                                                  SHA-512:62E0ABB2E59D360D6A066E73289AA1B880E7C1A0B7E6C695F40B1E0F2CB11DEB9E54DEBA4045D2454B911AF109EC198F11073874A8F023EB1B71A16A74354A1E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....%fN.........." .........0...............................................@............`A........................................p................0...............0...!..............p............................................................................rdata..<...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.889960536352825
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:lQMwidv3V0dfpkXc0vVaLnWvhWTULrX7aJdlGsztzO1:xHdv3VqpkXc0vVagQ2L7aJGqO1
                                                                                                  MD5:255B18FE8AB465C87FB8AD20D9A63AAC
                                                                                                  SHA1:645823B0332ADDABA5E4EF40D421B2DA432FDA5E
                                                                                                  SHA-256:E050E1BFBB75A278412380C912266225C3DEE15031468DAE2F6B77FF0617AA91
                                                                                                  SHA-512:19244B084AC811B89E0E6A77F9308D20CF4FBB77621D34EEDC19FCD5C8775A33B2D9ADA3F408CBE5806C39745B30C1C1CC25D724DB9377B437D771AE0BF440B1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....>F..........." .........0...............................................@......Re....`A........................................p...X............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-synch-l1-2-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.557349562243787
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ctZ3ZtIWvhW9NWYnO/VWQ4SWndusxZAqnajT9CMCz4:ctZ3wWvhW9dUds/Al39pCz4
                                                                                                  MD5:0A2432A420640A79FAAFF044AB054EF6
                                                                                                  SHA1:15688BF3C9330309EC5EA602C0AD5AF1FD68BC30
                                                                                                  SHA-256:9DFD114E4182662A669A3B9054DD2A24D96DD66ED96A8B2AC05601928B2084D5
                                                                                                  SHA-512:090D6D5046AEFE9006B319FC3F9740426BC93E50CF262CE65857449891CA69D2A235421CFEA3FB178D3F8B1E3F640B8678AA9D8F6E67B8A17985913BEBFB3FDD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.617444368323971
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:UgdKIMFemVWvhWNWYnO/VWQ4mWY1tcQIj21EhqnajKsxN:JH0WvhWdUDIqslGsxN
                                                                                                  MD5:E1A7B1F8CDB24324D0E44B0078DB8BD1
                                                                                                  SHA1:B6C2FE32AE5FA1398F7AE6245C405378E32A7897
                                                                                                  SHA-256:45D4F1E398E4CC73FD1AAAD80219D2A9D3205A228167C819EB6787D7B01FC186
                                                                                                  SHA-512:144AFE1CB812DE93FBDD08658AFEB4C95480A8E504C5DCF909FF226400CA2D0F48395CF71954FBD1B3DD93A49CBA39EC0DB3FC34A05804C93FD9A48B0A1749CA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......d.........." .........0...............................................@.......A....`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.549935038939539
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:+cWvhWoWYnO/VWQ4mWRhXEKup3JdqnajKsztzy:+cWvhWWUqX7aJdlGsztzy
                                                                                                  MD5:CB39EEA2EF9ED3674C597D5F0667B5B4
                                                                                                  SHA1:C133DC6416B3346FA5B0F449D7CC6F7DBF580432
                                                                                                  SHA-256:1627B921934053F1F7D2A19948AEE06FAC5DB8EE8D4182E6F071718D0681F235
                                                                                                  SHA-512:2C65014DC045A2C1E5F52F3FEA4967D2169E4A78D41FE56617CE9A4D5B30EBF25043112917FF3D7D152744DDEF70475937AE0A7F96785F97DCEFAFE8E6F14D9C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................" .........0...............................................@............`A........................................p...H............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-util-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.319450964936577
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:MPWvhWRWYnO/VWQ4SWiIsxZAqnajT9CDH:yWvhWRUCs/Al39OH
                                                                                                  MD5:5B6C46F42ED6800C54EEB9D12156CE1F
                                                                                                  SHA1:66CE7A59B82702875D3E7F5B7CF8054D75FF495F
                                                                                                  SHA-256:2631CADCE7F97B9A9E6DF4E88F00F5A43EF73B070EE024ED71F0B447A387FF2F
                                                                                                  SHA-512:38FF6745BB5597A871B67AA53FCC8426BC2CDD16B6497A0EB7B59C21D8716F1ABB1F7C7A40A121AD1BD67B5490FEF5CF82EE8FD0BF848F27DCA27FC5D25DEC61
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......#.........." .........0...............................................@...........`A........................................p...<............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.6478341719136145
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:y0WvhW3WYnO/VWQ4mW8iTH2vArqnajKsbTYk:FWvhWnUIH24rlGsbTYk
                                                                                                  MD5:A68D15CAB300774D2A20A986EE57F9F4
                                                                                                  SHA1:BB69665B3C8714D935EE63791181491B819795CB
                                                                                                  SHA-256:966DDBF59E1D6C2A80B8ABBF4A30D37475DE097BF13FB72BA78684D65975CD97
                                                                                                  SHA-512:AC040F92560631CA5162C7559173BDFE858E282225967AB1ADC0A038D34943B00DB140D44319CD2CDC2864295A098AB0BA634DFAA443E1D1782FA143AE4C217D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...8.?;.........." .........0...............................................@......5.....`A........................................P................0...............0...!..............p............................................................................rdata..@...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25056
                                                                                                  Entropy (8bit):4.647238720605179
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:3jQ/w8u4cy1WvhWb9WYnO/VWQ4SWANsAlosytkqnaj6Md:fy1WvhWhUNsilWMd
                                                                                                  MD5:0E35E369165875D3A593D68324E2B162
                                                                                                  SHA1:6A1FF3405277250A892B79FAED01DCDC9DBF864A
                                                                                                  SHA-256:14694879F9C3C52FBD7DDE96BF5D67B9768B067C80D5567BE55B37262E9DBD54
                                                                                                  SHA-512:D496F0C38300D0EED62B26A59C57463A1444A0C77A75C463014C5791371DECA93D1D5DD0090E8E324C6A09BD9CFF328F94947272CA49018C191C12732E805EE8
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....A............" .........@...............................................P......4.....`A........................................P................@...............@...!..............p............................................................................rdata..>........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.454858890873412
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:PLGju+OXWvhW+eWYnO/VWQ4mWPiNbj21EhqnajKsxy:PLGjuJWvhWFUztqslGsxy
                                                                                                  MD5:DACF383A06480CA5AB70D7156AECAB43
                                                                                                  SHA1:9E48D096C2E81A7D979F3C6B94315671157206A1
                                                                                                  SHA-256:00F84C438AAB40500A2F2DF22C7A4EC147A50509C8D0CDAC6A83E4269E387478
                                                                                                  SHA-512:5D4146A669DDB963CF677257EC7865E2CFCB7960E41A38BBD60F9A7017474ED2F3291505FA407E25881CBF9E5E6B8055FF3BD891043284A0A04E3FE9CFAD9817
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d................." .........0...............................................@......w.....`A........................................P..."............0...............0...!..............p............................................................................rdata..r...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.950541424159939
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:RSnWlC0i5CtWvhWJKWYnO/VWQ4SWuMasxZAqnajT9CQMDt:RSnWm5CtWvhWWUyas/Al39ODt
                                                                                                  MD5:D725D87A331E3073BF289D4EC85BD04D
                                                                                                  SHA1:C9D36103BE794A802957D0A8243B066FA22F2E43
                                                                                                  SHA-256:30BCF934CBCC9ED72FF364B6E352A70A9E2AFA46ECEADEA5C47183CB46CFD16E
                                                                                                  SHA-512:6713FF954221C5DD835C15556E5FA6B8684FA7E19CE4F527A5892E77F322B3DAE7199A232040B89AD4A9575C8D9788D771892D2294F3C18DA45E643EB25FDB08
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d......0.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.591111522505104
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:PUFY17aFBRIWvhWrWYnO/VWQ4mWCJH2vArqnajKsbTYxj:8Q1WvhWLUrH24rlGsbTY5
                                                                                                  MD5:9151E83B4FDFA88353B7A97AE7792678
                                                                                                  SHA1:B46152E70D5D3D75D61D4CCDB50403BD08BB9354
                                                                                                  SHA-256:6C0E0D22B65329F4948FCF36C8048A54CCCCBF6C05B330B2C1A686F3E686EED0
                                                                                                  SHA-512:4D4210474957E656D821E1DC5934A4BFBF7E73DD61D696A1AB39914F887810C8FBE500DBB1E23782B40807F25820F35C9665E04DCDC2FD0F6C83046A4AECB86B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...G..d.........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..f...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.54281367075804
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:g8yWvhWVWYnO/VWQ4mWWeUDj21EhqnajKsxRIM9:gtWvhWFUtDqslGsxRIG
                                                                                                  MD5:EBC168D7D3EA7C6192935359B6327627
                                                                                                  SHA1:AECEB7C071CF1BB000758B6CEEBEFEEC91AD22BD
                                                                                                  SHA-256:C048A3D7AB951DCE1D6D3F5F497B50353F640A1787C6C65677A13C55C8E99983
                                                                                                  SHA-512:891D252ECD50BDED4614547758D5E301BDF8E71FBB1023FF89F8DE2F81927CC7CC84B98985D99E8FA8DCBF361E5117D9C625DC0D36983AFC3F2AA48A54CE3D48
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....h\..........." .........0...............................................@......}.....`A........................................P...e............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-math-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29144
                                                                                                  Entropy (8bit):4.946641263598223
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:MQM4Oe59Ckb1hgmLJWvhWdUN8HOhlxAnY:rMq59Bb1jeanOunY
                                                                                                  MD5:7A235962DBAB1E807C6EC7609FC76077
                                                                                                  SHA1:148DDD11A0D366313F75871007057B3F0485AB33
                                                                                                  SHA-256:F7C5D7394643C95FE14C07773A8A206E74A28DB125F9B3976F9E1C8C599F2AF1
                                                                                                  SHA-512:25B21EE7BB333E5E34D2B4A32D631A50B8FFAF1F1320D47C97C2A4DFF59FA2A2703CDF30638B46C800D3150EFAA4A2518C55E7B2A3B2E4273F43DD5CA83AE940
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...J..R.........." .........P...............................................`............`A........................................P....%...........P...............P...!..............p............................................................................rdata...&.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):29136
                                                                                                  Entropy (8bit):4.764408242494898
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:VA/kPLPmIHJI6/CpG3t2G3t4odXLJWvhWSUwlmX7aJdlGszti:y/kjPmIHJI6AFc7aJGT
                                                                                                  MD5:B3B4A0F3FCE120318E71DE3AFB6BB1AA
                                                                                                  SHA1:D3349409EC717F942769BA67FECA40557C1423D0
                                                                                                  SHA-256:A38E6786DC8EC6D2717343DBE00BB2FDDA008D87935BBD9371AE94E7E004270B
                                                                                                  SHA-512:4A130674DDBB05949665F6F7A070B25E82C34047D1E62EC60C73F815CED39A9041D972BE4E8C505F9B13C5BCDC114F3479BF8D69D7D9CF9987D39A6F5DB7F560
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....T............" .........P...............................................`............`A........................................P.... ...........P...............P...!..............p............................................................................rdata..D".......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-private-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):74192
                                                                                                  Entropy (8bit):5.1227875842071615
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:LLraHgDe5c4bFe2JyhcvxXWpD7d3334BkZnjPgB/P5W:baHgDe5c4bFe2JyhcvxXWpD7d3334Bkb
                                                                                                  MD5:7033AB91EA4F0593E4D6009D549E560F
                                                                                                  SHA1:4951CE111CA56994D007A9714A78CDADEEB0DACF
                                                                                                  SHA-256:BE7901AA1FACEA8E1FD74A62BDE54CC3BD8E898B52E76FABB70342B160989B80
                                                                                                  SHA-512:8BC3B880E31EBE3BC438A24D2AF249C95E320AC3C7A501027EF634F55AAB6FAC4F6D1090A00C29A44657A34EBADCD62023F2E947D31C192072698B645F8651ED
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....+..........." ................................................................e.....`A........................................P....................................!..............p............................................................................rdata..............................@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-process-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.608840616484201
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:4adyqjd7VWvhWpWYnO/VWQ4mWB8nXEKup3JdqnajKszt0CkD:4aQ0WvhWpUnX7aJdlGszt0r
                                                                                                  MD5:55463244172161B76546DC2DE37F42BD
                                                                                                  SHA1:C10A5360AD5E340D59C814E159EA1EFCBF5BF3EE
                                                                                                  SHA-256:4166A32551989F960DAC7C0E296FFB28092F45F6539E7C450FA04BF17612BE73
                                                                                                  SHA-512:EACEC78FF95F60DEF6F7F27BDA4A84F1DD2DFA386EFC4F6DA770C37268DF83C5B402693EA5C29F54D48026579F3843DB26ADD4D6448EA10CBF7F14D4D14A72FD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w>..........." .........0...............................................@......M.....`A........................................P...x............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25040
                                                                                                  Entropy (8bit):4.795732177662406
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:oHUW9MPrpJhhf4AN5/KiZWvhWMWYnO/VWQ4mWLz8Y5H2vArqnajKsbTYCkI:oHUZr7PWvhW6UeH24rlGsbTYCx
                                                                                                  MD5:27C4A3BCC0F1DBA2DE4C2242CD489F3B
                                                                                                  SHA1:A704FD91E3C67108B1F02FD5E9F1223C7154A9CC
                                                                                                  SHA-256:315DED39D9E157CEC05D83711C09858C23602857C9D8C88BEEF121C24C43BE84
                                                                                                  SHA-512:793E74DFB1052C06AB4C29E7B622C795CC3122A722382B103940B94E9DAC1E6CA8039DF48C558EFCC5D952A0660393AE2B11CED5ADE4DC8D5DD31A9F5BB9F807
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...4{.+.........." .........@...............................................P............`A........................................P...4............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25040
                                                                                                  Entropy (8bit):5.082770273323341
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:DA2uWYFxEpahrWvhW/nWYnO/VWQ4mWSmRkH2vArqnajKsbTYMlBzK:DIFVhrWvhWfUERkH24rlGsbTYx
                                                                                                  MD5:306608A878089CB38602AF693BA0485B
                                                                                                  SHA1:59753556F471C5BF1DFEF46806CB02CF87590C5C
                                                                                                  SHA-256:3B59A50457F6B6EAA6D35E42722D4562E88BCD716BAE113BE1271EAD0FEB7AF3
                                                                                                  SHA-512:21B626E619AAF4EDA861A9C5EDF02133C63ADC9E893F38FEDE72D90A6E8BE0E566C117A8A24CA4BAB77928083AE4A859034417B035E8553CC7CCFB88CB4CBD9C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...+b............" .........@...............................................P......'l....`A........................................P...a............@...............@...!..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-string-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):25040
                                                                                                  Entropy (8bit):5.075489018611419
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:dozmT5yguNvZ5VQgx3SbwA71IkFPaPA6XHPe:dozmT5yguNvZ5VQgx3SbwA71IAaP7XH2
                                                                                                  MD5:EC1381C9FDA84228441459151E7BADEA
                                                                                                  SHA1:DB2D37F3C04A2C2D4B6F9B3FD82C1BE091E85D2C
                                                                                                  SHA-256:44DDAB31C182235AC5405D31C1CBA048316CC230698E392A732AC941EC683BAD
                                                                                                  SHA-512:EE9EBBDC23E7C945F2B291FDE5EB68A42C11988182E6C78C0AB8FA9CB003B24910974A3291BCDAA0C8D1F9DFA8DF40293848FB9A16C4BE1425253BED0511A712
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d....w.e.........." .........@...............................................P......0.....`A........................................P................@...............@...!..............p............................................................................rdata../........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-time-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):5.000234308172749
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:SNDKWvhW/WYnO/VWQ4mWVx2RoXEKup3JdqnajKsztg/J:RWvhWvUexqoX7aJdlGsztgx
                                                                                                  MD5:4CF70855444F38E1EB71F9C3CD1C6E86
                                                                                                  SHA1:D06AEC4008D397756EE841F0E7A435D1C05B5F07
                                                                                                  SHA-256:A409E25A9D3C252CC0A5AF9DF85D3733E946087B06CD1FB2CF1BF640EB0D49BA
                                                                                                  SHA-512:A13A80645E679343AC5638E8AA6A03012F16200CB3A4637BE52A01AA3BEF854324A8ED1882CA91B304B9C47B6351B1FC1671F4DEDE5BE77BC208A71FE6029064
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d.....p..........." .........0...............................................@............`A........................................P................0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20944
                                                                                                  Entropy (8bit):4.5308703760687745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:6PjfHQduHWvhWjWYnO/VWQ4mWEwXBXEKup3JdqnajKsztqOT+:QfxWvhWjUoXBX7aJdlGsztqx
                                                                                                  MD5:FCD6B29932D6FB307964B2D3F94E6B48
                                                                                                  SHA1:BE560F8A63C8E36A7B3FA48FF384F99F69A5D4F7
                                                                                                  SHA-256:CFB2EE4E426BB00B76163C1A66CF8CFEF8D7450CBF9BBCE3BC9EB2053F51E0E5
                                                                                                  SHA-512:3EDFCF559F1E21870277358E6D266A1A0CEA68B163B11C73108F3B6A56006D20B51410A3B4EA39BF80906BF6C9D573E1072697CFCD6A3D37E3679EA54757C69F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.....v...v...v...~...v...v...v...r...v.....v...t...v.Rich..v.................PE..d...w............." .........0...............................................@............`A........................................P...^............0...............0...!..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clretwrc.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):304800
                                                                                                  Entropy (8bit):4.2336898246942685
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:REX9Xit++0PJSKtOJsgI3mwNdmLZ8mTQfsqxEdB:S9xacWIfsqOD
                                                                                                  MD5:DBEB3E7BAE9873B4317F7E581AAF7DA5
                                                                                                  SHA1:9008A7E3F3CC8CA70DE2A6501514E1BC89B480B0
                                                                                                  SHA-256:1498113CBB7EECF7CC591502DC70C138165CFBABBCBB013E103C98357EC9C9EC
                                                                                                  SHA-512:4E5EE6CD29DD31F0881DF453726472166489E4AA6E2F2C98271FD79ED37C0B4022C37F684265EE790687D9925B04127639A1487FC1608F7B5FAB8ED643B69D24
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d.....lf.........." .........|......................................................b.....`.......................................................... ..xx...........~...(..............T............................................................................rdata..X...........................@..@.rsrc...xx... ...z..................@..@......lf........l...l...l.........lf..........................lf........l...................................RSDS.An[...E.A.ki.......D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\clretwrc\clretwrc.pdb.............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....!..hw...rsrc$02....................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\clrjit.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1436848
                                                                                                  Entropy (8bit):6.4837820325046405
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:fLtbu58TIu2rlMBDr0PZYRhVj95f1L7Zr5/z/5ccUYXIBXzkTVsHgWolUZbGwqfy:fLtHAcX0PZuhVDh7ZN7/6YXIBjkBsHgy
                                                                                                  MD5:7B4375E2D9212108130ACA9438B204B4
                                                                                                  SHA1:8AD0A3C29A02429FA4233E0CBE09897EB3960A46
                                                                                                  SHA-256:C8C62D5043E1E16089B85BADC0D41DAA4B8EBCBE8608435783C07679BACD159E
                                                                                                  SHA-512:FD33720895EBEB0074727A38F467209CBE763600476687F42E9727486133B9293F8D18C016CA14991D1671EC87AB09F8722645C54B1E326282E480F801F8B264
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2.US..US..US..\+..YS...!..RS..US...S...&..tS...&..[S...&..\S...&..>S...&..TS...&y.TS...&..TS..RichUS..........................PE..d.....lf.........." .....,................................................... ......^A....`A............................................t....................0..@........(......|.......p....................k..(...@...8............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data....<..........................@....pdata..@....0......................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..|...........................@..B........................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\coreclr.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5125400
                                                                                                  Entropy (8bit):6.552600854604914
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:TRUteSi8SjfXq6ZlxPCEsBfdSf30d9A6oWUqSp0eTVRapiB8YNCdT2eBRJoqN2nc:9U6RxPCEwpJc5H8GatXj
                                                                                                  MD5:3F517CD4D560FF7C81CA4E0ACF375A96
                                                                                                  SHA1:53375106AD45031329A0FB075C0D3193C4A8FAC6
                                                                                                  SHA-256:64E1C7636E731BB9DD30ADF26526BA69A64786F0D4C6979265CB5575AD1ABFF2
                                                                                                  SHA-512:C7FBA2ECE43B3328F5A041407EA4D729BDBCCC65869E7540C7CA1AB558FACCE9E434812C362131CF9D04573D3EDD5460747DEBC175E45BFCEF281546C94476A6
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../.*.Nuy.Nuy.Nuy.6.y.Nuyj<qx.Nuyj<tx.Nuy.Nty.Ouy.;px.Nuy.;qx.Nuy.;vx.Nuys;vx.Nuys;{xlOuys;ux.Nuys;.y.Nuys;wx.NuyRich.Nuy................PE..d....lf.........." ......<...................................................O......N...`A.........................................LI.D...TMI......`O...... K.8.....N..)...pO.Pa....>.p.....................?.(...p.=.8.............<......JI.`....................text...a.<.......<................. ..`.CLR_UEF\.....<.......<............. ..`.rdata........<.......<.............@..@.data... .....I..:...PI.............@....pdata..8.... K.......I.............@..@.didat..8.....N......hL.............@...Section.......N......jL.............@..._RDATA...3... N..4...lL.............@..@.rsrc........`O.......M.............@..@.reloc..Pa...pO..b....M.............@..B........................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\createdump.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):58208
                                                                                                  Entropy (8bit):6.335250887121676
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:IIkf5nMEPz7omzpq/4Jw1AsDZq7v613eUu8sGzWjK9zv2:wn5tLX62Cu8TzW6zv2
                                                                                                  MD5:69338F5C8F7B6567B5E4D83173BD15CD
                                                                                                  SHA1:E2846481C76E4720CE86F57BF7864533A7EC753D
                                                                                                  SHA-256:31ABD14FFAFD56AB69CC0D7222A8004177F689BBBCBAD7312D8C2FC03F32E2E1
                                                                                                  SHA-512:58C721578AE472F4FA275A58483CACA669828254AADEA1457C723E7D353C8D5673736F36C79DA06234C300AB9F361546650A754F6D7EF1CDEF79B5CD2171C806
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x.................x.....x9.....x....Rich...........PE..d...z.lf.........."......h...N.......).........@....................................k+....`....................................................................P.......`)......h.......T...............................8............................................text....f.......h.................. ..`.rdata...6.......8...l..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..h...........................@..B................................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\dbgshim.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):140464
                                                                                                  Entropy (8bit):6.413381282488342
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:8XY8Ja8dy1+iLfBcGPUZZceOiU8mJ/QQc962jqc413OjgrxkwF+aW/CzWa:QLgDL+vU8mpcoOjgrxkLaQCn
                                                                                                  MD5:A826058DA5A74D575C5FBBA98D2DE708
                                                                                                  SHA1:B8B628B29BFC99A1CF6565DC0AD941F3A15B67D7
                                                                                                  SHA-256:EB642F50E67611DD041AADF3BFCAEC9FF69A3BBDE27D59BD6F38900307D25CE8
                                                                                                  SHA-512:07D97B9F87BC16B47487C7193084769C751CC2DFF5CD6D033E1575C978B9A3448045CE6B7DFC2A2C4BAB3C17E889679AFE19671AADFA9C2C8FAFFB78BBCC8171
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@.......................+.......*.......-......./......./.{.....'......................,.....Rich....................PE..d.....lf.........." .....^..........P........................................P......J.....`A............................................(...(........0..........|........(...@..........p.......................(... ...8............p...............................text....\.......^.................. ..`.rdata..Tx...p...z...b..............@..@.data...............................@....pdata..|...........................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\hostpolicy.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):394528
                                                                                                  Entropy (8bit):6.311616444156745
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:BBGjtN9JhCdJeD1QL3sQy8XyV0l0gzPI37VPzBz3BUt9OqOHBE/Xb:BBGjtNlU/rsQy8XyxzkZOGX
                                                                                                  MD5:99627BE8353E7B34EBDBBBF965470601
                                                                                                  SHA1:E60681E3F81B4DCAF304E715878ED9F3984A1BAA
                                                                                                  SHA-256:B54E1ACF51C3A876C68E99FF17C5A585AF264CFC25F57D6913EA9BD85FCB25B5
                                                                                                  SHA-512:BC162E11BDF84ECB7C0DA3F6FFDAB3380958C8B9C86E9DC4CBF03BC8FE3C5B2D958E11FB373D5944418F687F7F559C1DBECA36B37D1AE4472BB8B58420A7AD6C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ux.U..YU..YU..Y.a.X_..Y.a.X_..Y.a.X...Y\l.YG..Y.f.XP..YU..Y...Y.a.XH..Y.a.XT..Y.a.YT..Y.a.XT..YRichU..Y........PE..d...y.lf.........." .....D...................................................@......Oq....`A............................................ ... ........ ..........$0...... )...0..........p.......................(.......8............`...............................text...,B.......D.................. ..`.rdata...F...`...H...H..............@..@.data...............................@....pdata..$0.......2..................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1320360
                                                                                                  Entropy (8bit):6.373679704817961
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:W3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDHuPGct:W7s7jsjS4znnqyIn7TrvU
                                                                                                  MD5:4C295F5F2D61B58ABFFDBEAFC26ED0A0
                                                                                                  SHA1:4948926A75605082BF2F2266910A90E526890C75
                                                                                                  SHA-256:1CD7F8274A9856A9A5A26AE2414C2DCE6E194F5C7CC0E3B566564F8A8A758C6D
                                                                                                  SHA-512:245E4571E5F49281093CCEA9FF488BCE4A73AA4D0DB2423B1E9C9C25192CA02387B3D18C7519B756958139ED99CD27B1A81135CA6F8A8D8575CF682CA5B4FC1F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d....lf.........." .....(...................................................P.......K....`A............................................p...`........ .......`...........%...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordaccore_amd64_amd64_6.0.3224.31407.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1320360
                                                                                                  Entropy (8bit):6.373679704817961
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:W3ccAqMv7jLs0eJqwnSA/RSwn20qv6InSITDHuPGct:W7s7jsjS4znnqyIn7TrvU
                                                                                                  MD5:4C295F5F2D61B58ABFFDBEAFC26ED0A0
                                                                                                  SHA1:4948926A75605082BF2F2266910A90E526890C75
                                                                                                  SHA-256:1CD7F8274A9856A9A5A26AE2414C2DCE6E194F5C7CC0E3B566564F8A8A758C6D
                                                                                                  SHA-512:245E4571E5F49281093CCEA9FF488BCE4A73AA4D0DB2423B1E9C9C25192CA02387B3D18C7519B756958139ED99CD27B1A81135CA6F8A8D8575CF682CA5B4FC1F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......eK.!*..!*..!*..(R..+*..s_...*..s_...*..s_..+*...X..%*...X..**..!*..*..._..*..._.. *..._B. *..._.. *..Rich!*..........................PE..d....lf.........." .....(...................................................P.......K....`A............................................p...`........ .......`...........%...0..P...`d..p....................f..(....d..8............@...............................text....'.......(.................. ..`.rdata.......@.......,..............@..@.data....!...0......................@....pdata.......`.......*..............@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc..P....0......................@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscordbi.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1268256
                                                                                                  Entropy (8bit):6.353875443999665
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:+ZdZVsOfVMIVAeZeSuIN5R2kMfmZmogeOaypw7ZSryE0BbdIUtVL0GUix+VgFow6:+ZdZVscj9cSuINr2JeOayeFbpo7iE8oJ
                                                                                                  MD5:8C06FB2F713A634561B3DC6E5469DE70
                                                                                                  SHA1:4FB727BAC8E600A04D200351600DDDB160487D15
                                                                                                  SHA-256:BEAD06E37ED9D1292F205C8F9D1825AF1BA21A1461E1EA1030A16872BC12C854
                                                                                                  SHA-512:A624E37FF0A29767C2E04BDC5120D88D48D0DF687F6B48291C5CC7F9CF89FFEF771EC0946EB00030DDC5623DD29B3AB510F9B0EB35C70A2F1DAE6C1C1784B82A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........g.jy4.jy4.jy4...4.jy4..|5.jy4..}5.jy4..z5.jy4'.}5.jy4'.x5.jy4.jx4:jy4>.z5.jy4>.p5.jy4>.y5.jy4>..4.jy4>.{5.jy4Rich.jy4................PE..d.....lf.........." .....n...........................................................U....`A.........................................n..`....p.......`..........D....4.. &...p......`...p.......................(......8............................................text...5l.......n.................. ..`.rdata...............r..............@..@.data...x............t..............@....pdata..D...........................@..@_RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B................................................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorlib.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):58528
                                                                                                  Entropy (8bit):5.6446323123377224
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:l8zO+8uP8x/A15A4HI4gJl01Qa7ICltVvTFClpDuO9zh:yzO+8uA/A15A4o4gJq1DI+vBipzh
                                                                                                  MD5:86E65EF2C83159E84F5A7C36EC78867E
                                                                                                  SHA1:A0FC2165DAF648BCBAAB3DF2AE0FBAE3FEC0A702
                                                                                                  SHA-256:5319693193C2BCBBE56E1090E1EEA513A0145557E40A789BF96F562C0D0CC8E1
                                                                                                  SHA-512:A6537F4D68ED63DE7D627B8B321010C83D175E0EA50F33AC5DCC5692EF5BA9620A2BD3572B8F4771ACC1B02ECD5B852482CE1EF75B47C65597D2914F4F1D0A37
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....)..........." ..0.................. ........... ....................... .......>....`.................................l...O.......(................(..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...(...........................@..@.reloc..............................@..B........................H.......P .............................................................BSJB............v4.0.30319......l...pL..#~...L..._..#Strings............#US.........#GUID...........#Blob............T.........3....................................,.....*-.........#.M...&.M.....M...M....h..)...$'....".2.....2...&.2..v$.2... .2.....2.....2...$.2..x..2...1.S.....S..5..]...$.M.................L.....L.....L..)..L..1..L..9..L..A..L..I..L..Q..L..Y..L..a..L..i..L..q..L..y..L.....L ....L.....L..

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\mscorrc.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):147104
                                                                                                  Entropy (8bit):3.8671404588318095
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:9V8Zms10iHvh7x8SKJlZ4vCCk7nw55IvZ4MgSZctpoEXXniizP:9V8Z/aSKlZ4ZGnwmUS4Scnp7
                                                                                                  MD5:81556C4545EC2CC21AD218639A0C003B
                                                                                                  SHA1:E80EE14AB3EEE7BAA7FF86B07DDD64B38788D4B9
                                                                                                  SHA-256:214186149DDF144E9FB1935A7B39FA9393D188CCA6558AE580F3DCB3465ABA5C
                                                                                                  SHA-512:99243E57988B7758B8537A43815840509B37CCEB3BEB4B8E6A8086ACB36880D5AA63A4496E16C3BAD34D2D8EDAFF7A240E6FFEC9F60488B6A31D9A957B4CA7C3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........j=.I.S.I.S.I.S..~..H.S..~Q.H.S.RichI.S.PE..d.....lf.........." .........................................................@............`.......................................................... ..`................(..............T............................................................................rdata..X...........................@..@.rsrc...`.... ......................@..@......lf........j...l...l.........lf..........................lf........l...................................RSDS..^...qO.h"..c.:....D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscorrc\mscorrc.pdb...............................T....rdata..T........rdata$voltmd...l........rdata$zzzdbg.... .......rsrc$01.....;.......rsrc$02....................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\msquic.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):517032
                                                                                                  Entropy (8bit):6.327188439808119
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:DD4t2kjj3Ueh/9WoJcDSdiA9HuUrUb9KcvYCxe3Rw42SISaVGxQJyRMq1KsLGjrT:DDrkjjUoJcDSdiw4QcO3RoS9MV
                                                                                                  MD5:B5D0F85E7C820DB76EF2F4535552F03C
                                                                                                  SHA1:91EFF42F542175A41549BC966E9B249B65743951
                                                                                                  SHA-256:3D6D6E7A6F4729A7A416165BEABDA8A281AFFF082EBB538DF29E8F03E1A4741C
                                                                                                  SHA-512:5246EBEAF84A0486FF5ADB2083F60465FC68393D50AF05D17F704D08229CE948860018CBE880C40D5700154C3E61FC735C451044F85E03D78568D60DE80752F7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.................................................................................7...2......2......2.7....._....2......Rich............................PE..d.....Mb.........." .................E.......................................0.......H....`A........................................0y..|....y....... ..h........>.......'... ..........T...............................8............... ............................text...z........................... ..`.rdata...{.......|..................@..@.data...p2...........r..............@....pdata...>.......@...~..............@..@_RDATA..............................@..@.rsrc...h.... ......................@..@.reloc....... ......................@..B........................................................................................................................................................................

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):101664
                                                                                                  Entropy (8bit):5.505707682437033
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:oiTrnaN0HjO8MZYq5V4bgDHsPdPpwSJ5L3Akcg9Qc7WUEp4za:JaN8qZYe4bgDUnNKc7nXm
                                                                                                  MD5:6F476F66A2C6228DA38FE6C7ED7CA439
                                                                                                  SHA1:2C13ABA2E1A19F00C98A1AB82066512B6B555375
                                                                                                  SHA-256:78798868341E36FC9B782AB9313CC7035C5173509552F4BB95B44A5D0D044B23
                                                                                                  SHA-512:C3E5132101845D821D040ABE97EE2EA07D04135ADFD11E880D08000C8B03ECC7853AF7CEE5BF18C07361F29C5867D9A7120F6F1D4053F624E25F6021C8E03367
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\netstandard.dll, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%$..........." ..0..Z..........6x... ........... ....................................`..................................w..O.......8............d.. )...........w..T............................................ ............... ..H............text...<X... ...Z.................. ..`.rsrc...8............\..............@..@.reloc...............b..............@..B.................x......H.......P ..DV...................v......................................BSJB............v4.0.30319......l.......#~..,.......#Strings.....R......#US..R......#GUID....R..P...#Blob............T.........3................................U...(......H.........5*....;*....'8.........., A...7.J..P4*U..5#*U...:*U..n7*U..&1*U....*U.../*U..(7*U...(*U...T-..../-...i&....7*................./...../...../...)./...1./...9./...A./...I./...Q./...Y./...a./...i./...q./...y./...../. .../...../...

                                                                                                  C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\ucrtbase.dll

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1122768
                                                                                                  Entropy (8bit):6.6466118295886165
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:CJG2BrB3ZQAq0AT2jS9HKHdK6AccMs1wmxvSZX0ypFi:0VGrT6SAk3ei
                                                                                                  MD5:3B337C2D41069B0A1E43E30F891C3813
                                                                                                  SHA1:EBEE2827B5CB153CBBB51C9718DA1549FA80FC5C
                                                                                                  SHA-256:C04DAEBA7E7C4B711D33993AB4C51A2E087F98F4211AEA0DCB3A216656BA0AB7
                                                                                                  SHA-512:FDB3012A71221447B35757ED2BDCA6ED1F8833B2F81D03AABEBD2CD7780A33A9C3D816535D03C5C3EDD5AAF11D91156842B380E2A63135E3C7F87193AD211499
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........T...:K..:K..:K..K..:K..;K..:KK..K..:KK.:J..:KK.9J..:KK.?J..:KK.>J.:KK.4J..:KK..K..:KK.8J..:KRich..:K........PE..d................" .....0..........0^...............................................N....`A................................................................. ...........!...... .......p............................Z..8..............(............................text...X .......0.................. ..`.rdata......@.......@..............@..@.data....&....... ..................@....pdata....... ......................@..@.rsrc...............................@..@.reloc.. ...........................@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\AnyDesk\ad_f45e5af2_msi\ad_f45e5af2_msi_svc.trace

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21218
                                                                                                  Entropy (8bit):4.326229247137327
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:EljmuBmw0btQjr7rmN5JHaaf6WbWbdX0X4XvX1X7XyX4XcvjiljenMjy/F/f7ex+:EljN0btQjr+jqypf7eT9joMxa
                                                                                                  MD5:50E5444443FE2B9FE0CDB48B342F6B31
                                                                                                  SHA1:D8737C57896F24FA52BBDA98F3844EA10C4CA770
                                                                                                  SHA-256:5B3A4C76707F01E0BFA10C3213564BF210ABA03CE95F8AC275DCD2E54D5CD405
                                                                                                  SHA-512:3B2193BC2DBE1BCCA67D895762F7D9EB220DE91F3CF6822F185774BDED00CF0873BF158183719C98396EA93673D7F4619941DD1234E28F3E6E8B4F2FF06AA457
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview: * * * * * * * * * * * * * * * * * *.. info 2024-09-04 12:40:14.174 gsvc 4200 5100 main - * AnyDesk Windows Startup *.. info 2024-09-04 12:40:14.174 gsvc 4200 5100 main - * Version 7.0.15 ((detached head) ef6b1cfa00ddfb8863d92ed81fc54976587c3856, custom MSI, ad_f45e5af2_msi).. info 2024-09-04 12:40:14.174 gsvc 4200 5100 main - * Custom Client (4054f5d4-f05b-40b2-92fc-79545022ffd0).. info 2024-09-04 12:40:14.174 gsvc 4200 5100 main - * Checksum e8bf46ed8c3b1d049e50c740ba4917c3.. info 2024-09-04 12:40:14.174 gsvc 4200 5100 main - * Build 20240127194500.. info 2024-09-04 12:40:14.174 gsvc 4200 5100 main - * Copyright (C) 2024 AnyDesk Software GmbH *.. info 2024-09-04 12:40:14.174 gsvc 4200 5100

                                                                                                  C:\ProgramData\AnyDesk\ad_f45e5af2_msi\service.conf

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:ASCII text, with very long lines (1747)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2852
                                                                                                  Entropy (8bit):6.021509596411972
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:uISTv2XQIibphalP0swhif74d5HJjUIdDhmg5FaTzSDCH02BCEmMrjDqAQ6p73PG:uISTv2AIiQPzwofEXpXPafSmH02EzMre
                                                                                                  MD5:ACA55172CB537855C8D3ADE9F36C861C
                                                                                                  SHA1:3F123B802C99B75A0D90CBB02BBED4FDEB17EC4D
                                                                                                  SHA-256:31199F2CF3430857375B767F8FCE91CD4B7E59697CD92F3EBC6CFAC1809E1D93
                                                                                                  SHA-512:4E14AA1C5713F1077B66F6DC209A5E07812DA106C528FAF26885E33567C42C2F18BF973582FA7633D52B47399752DD8A94186980F5681F11DD4AA2FA69131BF2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:ad.anynet.cert=-----BEGIN CERTIFICATE-----\nMIICqDCCAZACAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOQW55RGVzayBD\nbGllbnQwIBcNMjQwOTA0MTI0MDE1WhgPMjA3NDA4MjMxMjQwMTVaMBkxFzAVBgNV\nBAMMDkFueURlc2sgQ2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAxTa3qDzlIFrgx3Rye8Eh6x8x2cGuNArONC7BWAd9gN+HHJLYWId/pUWC58s/\niYAcLJQZA/iNv8FmLyWKmoxn/wSEshosS3k9T+LQKnVvUSO7wqD8aDGcBzWFNCD+\nGXom3aY6dVkq6gyEmEGx92unaSg4yRExEOh9knXLVX33YYHwpw3TTtQgMPXxyHKh\nGrTGTKHKpxtSv27tdgRTRe6IUA2LaCR4Mq5uFsbnJOrXqGZca5wxPBeTUaT9vFiR\nBv8Wc1XqlhRwX3O83GBVlemREMhJBRTXxVDIJ5EZDEue4BfnIySFJXUquc5qnWQx\n91RXgJQZxUrJ3HE9z7XgushEjQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCa8lKO\nHYN1rQyPr2h0VZkGHUyj8O9n6RLjfzknMdA6ipihTorZHDqorQbebMCqh0Vl6ErJ\nS78ya7+HKQ3ZodkXibO5wFMMjpihTVPSJ//WJ1tVB20W8LQaqGfETVZuDBF36vI3\nwQ4a0MVpCvS8xl4BIEBkjB6MnNiriEvIQQ9Mc2BIntLErMpisaWMbF4+nVBLaMCY\natvWvttarG35DW0c2MvpjWjyhTPL2XqLWkTbgTI8ihlrnf7VBdL+xPTMsb7GJp8S\nCdth0xPUeCXjZSMlx/+8Hv48gsIVoG4HotLJ2+ABXcl4Zu99WcQAodVEsou6zUKS\nF++P7KN1F8MS1muV\n-----END CERTI

                                                                                                  C:\ProgramData\AnyDesk\ad_f45e5af2_msi\system.conf

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):688
                                                                                                  Entropy (8bit):4.8494631854793075
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:oizQCJkPjLLBVo8I95sQx0R+iBs7lNqQHvWhQ4xhroBGgFBGETp/7:QX4Xxo+iBs5sAw3PtBET9
                                                                                                  MD5:98F597290D66066A88537AFB532E06D3
                                                                                                  SHA1:F88DB2A6717DA71C2EB49D158863C77080DF0AF6
                                                                                                  SHA-256:6067E742F94B3F5E7C6C5AE636F57FF41D8FC683B92D7C2A8F5D936119C3F2F7
                                                                                                  SHA-512:365A8BDEED2AE77698D31D41CA70209450DA610907A9721A27FBA63EA7B07181EAB4E9E0C8AC4A11720DFF89EAA66C91551072310C78ADCA60C2FE2D9D12E692
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:ad.ancl.cached_config=AAQAAAABAAAAAAAAAAAAAAAA.ad.anynet.alias=.ad.anynet.cur_version=34359738380.ad.anynet.fpr=6bd34a54a284354e10c1aa3019cc59bdacbb591f.ad.anynet.id=1534382390.ad.anynet.last_relay=relay-6a630189.net.anydesk.com:80:443:6568.ad.anynet.network_id=main.ad.anynet.relay.fatal_result=1.0.ad.anynet.relay.state=2.ad.license.name=power-1.ad.security.frontend_clipboard=1.ad.security.frontend_clipboard_files=1.ad.security.frontend_clipboard_version=1.ad.security.permission_profiles._default.permissions.sas=1.ad.security.permission_profiles._unattended_access.permissions.sas=1.ad.security.permission_profiles.version=1.ad.wol.mac_hash=2c2cef54380166114298c0b8b9d6aba576b6d5d4.

                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnyDesk Custom Client\AnyDesk Custom Client.lnk

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2583
                                                                                                  Entropy (8bit):2.560504217109505
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:8BUCZsn74l0Y/a+M0yZdTfut+M0y8gpIU3MSZKndtD4W0y:8BBc74lIZdSt58fUcSZKn0W
                                                                                                  MD5:E739C98A0C6767830DFA4F25F3B7C2BB
                                                                                                  SHA1:6FA80E68758EAD5C0A6D3E3019B0B1BB243ED46C
                                                                                                  SHA-256:989C59C589A852F232114CAD498E53F24410A82FF2494FDDB818D215910DF4DE
                                                                                                  SHA-512:CB983BC7C619689C99A8F46025ACDC08C777B1E52D2494EE558E0E2794673061DEEA0324992DB994C953503D8ED71299699E945FF8AA3E281AEEBBCE56BDCF5B
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:L..................F.P...........................................................P.O. .:i.....+00.../C:\...................V.1.....EW.S..Windows.@......OwH$Y.d....3.....................h.*.W.i.n.d.o.w.s.....\.1.....$Y.e..Installer.D......O.I$Y.e..............................I.n.s.t.a.l.l.e.r.......1.....$Y.e..{96B92~1..~......$Y.e$Y.e.....>....................."..{.9.6.B.9.2.D.F.A.-.8.1.A.3.-.4.7.9.0.-.B.D.F.9.-.3.D.2.8.5.6.4.F.5.6.E.6.}.....b.2.P.;.$Y.e!.AnyDesk.ico.H......$Y.e$Y.e.....>....................."..A.n.y.D.e.s.k...i.c.o.........A.n.y.D.e.s.k. .C.u.s.t.o.m. .C.l.i.e.n.t.V.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.9.6.B.9.2.D.F.A.-.8.1.A.3.-.4.7.9.0.-.B.D.F.9.-.3.D.2.8.5.6.4.F.5.6.E.6.}.\.A.n.y.D.e.s.k...i.c.o.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.n.y.D.e.s.k.-.f.4.5.e.5.a.f.2._.m.s.i.\.G.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.9.6.B.9.2.D.F.A.-.8.1.A.3.-.4.7.9.0.-.B.D.F.9.-.3.D.2.8.5.6.4.F.5.6.E.6.}.\.A.n.y.D.e.s.k...i.c

                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk Custom Client.lnk

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2603
                                                                                                  Entropy (8bit):2.568574084337642
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:8hUCZsn740Y/a+M0yZdTfuSL8+M0y8gpIU3MSZKndtD4W0y:8hBc74IZdSSQ58fUcSZKn0W
                                                                                                  MD5:8E4E81B7DC7C2F70A629F891938211EC
                                                                                                  SHA1:017250AC1516558109AAA94A0821A36D694BC193
                                                                                                  SHA-256:0FD8A9883FFAAFFF88868C48E5346DD21CCE98824BD69D3A9EA3A2890AA47DA2
                                                                                                  SHA-512:4E2361987B1BAF94C6EA5D4AC801E4E192EE0B05D2BB532ED1091BF2A0B27E0917611CB4396F7B39F5A41D18015A75306E0A2049813495978588FCA0F6194E4A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:L..................F.P...........................................................P.O. .:i.....+00.../C:\...................V.1.....EW.S..Windows.@......OwH$Y.d....3.....................h.*.W.i.n.d.o.w.s.....\.1.....$Y.e..Installer.D......O.I$Y.e..........................."..I.n.s.t.a.l.l.e.r.......1.....$Y.e..{96B92~1..~......$Y.e$Y.e.....>....................."..{.9.6.B.9.2.D.F.A.-.8.1.A.3.-.4.7.9.0.-.B.D.F.9.-.3.D.2.8.5.6.4.F.5.6.E.6.}.....b.2.P.;.$Y.e!.AnyDesk.ico.H......$Y.e$Y.e.....>....................."..A.n.y.D.e.s.k...i.c.o.........A.n.y.D.e.s.k. .C.u.s.t.o.m. .C.l.i.e.n.t.V.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.9.6.B.9.2.D.F.A.-.8.1.A.3.-.4.7.9.0.-.B.D.F.9.-.3.D.2.8.5.6.4.F.5.6.E.6.}.\.A.n.y.D.e.s.k...i.c.o.,.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.n.y.D.e.s.k.-.f.4.5.e.5.a.f.2._.m.s.i.\...-.-.c.o.n.t.r.o.l.G.C.:.\.W.i.n.d.o.w.s.\.I.n.s.t.a.l.l.e.r.\.{.9.6.B.9.2.D.F.A.-.8.1.A.3.-.4.7.9.0.-.B.D.F.9.-.3.D.2.8.5.6.4.F.5.6.E.6.}.\

                                                                                                  C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\svchost.exe
                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):999
                                                                                                  Entropy (8bit):4.966299883488245
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
                                                                                                  MD5:24567B9212F806F6E3E27CDEB07728C0
                                                                                                  SHA1:371AE77042FFF52327BF4B929495D5603404107D
                                                                                                  SHA-256:82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
                                                                                                  SHA-512:5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:5l:7
                                                                                                  MD5:2DD3F3C33E7100EC0D4DBBCA9774B044
                                                                                                  SHA1:B254D47F2B9769F13B033CAE2B0571D68D42E5EB
                                                                                                  SHA-256:5A00CC998E0D0285B729964AFD20618CBAECFA7791FECDB843B535491A83AE21
                                                                                                  SHA-512:C719D8C54A3A749A41B8FC430405DB7FCDE829C150F27C89015793CA06018AD9D6833F20AB7E0CFDA99E16322B52A19C080E8C618F996FC8923488819E6E14BB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1048576
                                                                                                  Entropy (8bit):0.01234917421777367
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:ZVuc0UqTYwAijxWph6dPrYkhWMTWA5OGW6raD/TIl:ZVuxYdip57uTI
                                                                                                  MD5:0191792C9154D5996521EC60F87DA530
                                                                                                  SHA1:ADF5075D7A5C51EA84F6D4F4C660D528BF32A264
                                                                                                  SHA-256:DD2B6F4870BD8C55A17F09B178AC2A7D7B2C52370A96FAA2B6E1462343C8AB74
                                                                                                  SHA-512:3B2B567A61D35391DF160FE55C3AD4369B25BA59EE1FD2963944C0116B8FEDA3F5148A977EB89D9614D0E47FA2AA08ED613D1231D8849184C0AFDDAE9CB325B3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................CMMM......H..... ...........................l&.Rv:...h.1.7.1.4.0.9.d.3.f.4.4.8.1.d.c.3...BM............|............. ......................................... niW........................................................................................................GGG`GGG`................................................GGG.GGG.GGG.GGG.GGG.GGG.....................................GGG0GGG.EV^.:....X..WJ>.GGG.GGG0............................GGG0GGG.Bl..7...6....^...\..nN1.GGG.GGG0....................GGG0GGG.Bs..8...7...6...._...^...]..vO,.GGG.GGG0................GGG.E]i.9...8...8...7....`..._...^...]..^K:.GGG.............GGG`GGG.=...:...9...8...8....a...`..._...^...Y..GGG.GGG`........GGG.Ct..;...:...:...9...8....c...a...`..._...^..vO,.GGG.........GGG.._...i...i...g...f...e..8...8...7...6...6...;...GGG.........GGG..c...k...i...i...g...f..9...8...8...7...6...:...GGG.........GGG..m...l...k...i...i...g..:...9...8...8...7...6...GGG.........GGG..n...m...l...k...i...i..

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:A/lll:A/
                                                                                                  MD5:635E15CB045FF4CF0E6A31C827225767
                                                                                                  SHA1:F1EAAA628678441481309261FABC9D155C0DD6CB
                                                                                                  SHA-256:67219E5AD98A31E8FA8593323CD2024C1CA54D65985D895E8830AE356C7BDF1D
                                                                                                  SHA-512:81172AE72153B24391C19556982A316E16E638F5322B11569D76B28E154250D0D2F31E83E9E832180E34ADD0D63B24D36DD8A0CEE80E8B46D96639BFF811FA58
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:7/lll:x
                                                                                                  MD5:F6B463BE7B50F3CC5D911B76002A6B36
                                                                                                  SHA1:C94920D1E0207B0F53D623A96F48D635314924D2
                                                                                                  SHA-256:16E4D1B41517B48CE562349E3895013C6D6A0DF4FCFFC2DA752498E33C4D9078
                                                                                                  SHA-512:4D155DFEDD3D44EDFBBE7AC84D3E81141D4BB665399C2A5CF01605C24BD12E6FAF87BB5B666EA392E1B246005DFABDE2208ED515CD612D34BAC7F965FD6CC57E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:lX:1
                                                                                                  MD5:2D84AD5CFDF57BD4E3656BCFD9A864EA
                                                                                                  SHA1:B7B82E72891E16D837A54F94960F9B3C83DC5552
                                                                                                  SHA-256:D241584A3FD4A91976FAFD5EC427E88F6E60998954DEC39E388AF88316AF3552
                                                                                                  SHA-512:0D9BC1EE51A4FB91B24E37F85AFBF88376C88345483D686C6CFF84066544287C98534AA701D7D4D52E53F10A3BEA73EE8BC38D18425FDE6D66352F8B76C0CBB5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:2/l/:S/
                                                                                                  MD5:60476A101249AEDFF09A43E047040191
                                                                                                  SHA1:DE5B6A0ADC7DE7180E19286CF0F13567278CDB64
                                                                                                  SHA-256:35BC77A06BFDDE8C8F3A474C88520262B88C7B8992EE6B2D5CF41DDDC77A83FB
                                                                                                  SHA-512:F1D2DCC562A36434C6C6405EC4EAC7ECFA76FC5A940114DA6F94495B77584A132D5D82AD3556DF749490BE096CFD238FA8B484B7C734CBC4D074E963E5D451F4
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:3X:n
                                                                                                  MD5:AE6FBDED57F9F7D048B95468DDEE47CA
                                                                                                  SHA1:C4473EA845BE2FB5D28A61EFD72F19D74D5FC82E
                                                                                                  SHA-256:D3C9D1FF7B54B653C6A1125CAC49F52070338A2DD271817BBA8853E99C0F33A9
                                                                                                  SHA-512:F119D5AD9162F0F5D376E03A9EA15E30658780E18DD86E81812DDA8DDF59ADDD1DAA0706B2F5486DF8F17429C2C60AA05D4F041A2082FD2EC6EA8CC9469FADE3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Wtl:WX
                                                                                                  MD5:D192F7C343602D02E3E020807707006E
                                                                                                  SHA1:82259C6CB5B1F31CC2079A083BC93C726BFC4FBF
                                                                                                  SHA-256:BB4D233C90BDBEE6EF83E40BFF1149EA884EFA790B3BEF496164DF6F90297C48
                                                                                                  SHA-512:AEC90CF52646B5B0EF00CEB2A8D739BEFE456D08551C031E8DEC6E1F549A6535C1870ADB62EEC0A292787AE6A7876388DD1B2C884CBA8CC6E2D7993790102F43
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:s:s
                                                                                                  MD5:2A8875D2AF46255DB8324AAD9687D0B7
                                                                                                  SHA1:7A066FA7B69FB5450C26A1718B79AD27A9021CA9
                                                                                                  SHA-256:54097CCCAE0CFCE5608466BA5A5CA2A3DFEAC536964EEC532540F3B837F5A7C7
                                                                                                  SHA-512:2C39F05A4DFFD30800BB7FBB3FF2018CF4CC96398460B7492F05CE6AFD59079FD6E3EB7C4F8384A35A954A22B4934C162A38534AD76CFB2FD772BCF10E211F7C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:a/l/:e/
                                                                                                  MD5:F732BF1006B6529CFFBA2B9F50C4B07F
                                                                                                  SHA1:D3E8D4AF812BBC4F4013C53C4FFAB992D1D714E3
                                                                                                  SHA-256:77739084A27CB320F208AC1927D3D9C3CAC42748DBDF6229684EF18352D95067
                                                                                                  SHA-512:064D56217AEB2980A3BFAA1E252404613624D600C3A08B5CF0ADCB259596A1C60EE903FDC2650972785E5AE9B7B51890DED01EC4DA7B4DE94EBDA08AEAF662DF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:EX:EX
                                                                                                  MD5:FC94FE7BD3975E75CEFAD79F5908F7B3
                                                                                                  SHA1:78E7DA8D08E8898E956521D3B1BABBF6524E1DCA
                                                                                                  SHA-256:EE1ED3B49720B22D5FDA63D3C46D62A96CA8838C76AB2D2F580B1E7745521AA5
                                                                                                  SHA-512:4CEAF9021B30734F4CE8B4D4A057539472E68C0ADD199CF9C3D1C1C95320DA3884CAF46943FC9F7281607AB7FA6476027860EBED8BBAA9C44B3F4056B5E074D3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7416
                                                                                                  Entropy (8bit):0.1225205706908585
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:tn6lBlll9/l9elDLxvtJR1//:0BtEDL1tD1X
                                                                                                  MD5:B49BCFA129F8065708866812A31F0B1E
                                                                                                  SHA1:47CA87DDE3AC9BD47B17E64EE207ED8231EBA1E0
                                                                                                  SHA-256:F2D9EE91E2125CA389578657D8E39E3D303831FF4B88DF578B206C64B4E56562
                                                                                                  SHA-512:15FCCF6C3708A4178EF7B5A722DE4472A153192B2007F1A326508D74575FB9BAB00898AA23114249D3DB16C73645CF27A4B1351481B752EAD9B2D11D60D23235
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..0 IMMM ...............e...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6:6
                                                                                                  MD5:379523B9F5D5B954E719B664846DBF8F
                                                                                                  SHA1:930823EC80B85EDD22BAF555CAD21CDF48F066AA
                                                                                                  SHA-256:3C9002CAEDF0C007134A7E632C72588945A4892B6D7AD3977224A6A5A7457BF4
                                                                                                  SHA-512:ECA44DE86BBC3309FA6EAB400154D123DCD97DC1DB79554CE58CE2426854197E2365F5EEE42BAC6E6E9455561B206F592E159EF82FAF229212864894E6021E98
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:V/l/:/
                                                                                                  MD5:5F243BF7CC0A348B6D31460A91173E71
                                                                                                  SHA1:5696B34625F027EC01765FC2BE49EFCFD882BF8E
                                                                                                  SHA-256:1B1AED169F2ACFAE4CF230701BDA91229CB582FF2CE29A413C5B8FE3B890D289
                                                                                                  SHA-512:9E08DFBBF20668B86DF696A0D5969E04E6EE4A67E997FF392099BC7FF184B1B8965502215744BE7FE423668B69099242BBA54DF3F0BFE4E70ACDC7CAD8195B02
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24
                                                                                                  Entropy (8bit):1.6368421881310118
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:J:J
                                                                                                  MD5:DB7C049E5E4E336D76D5A744C28C54C8
                                                                                                  SHA1:A4DB9C8586B9E4FA24416EB0D00F06A9EBD16B02
                                                                                                  SHA-256:E8830E7AC4088CF3DD464CAEC33A0035D966A7DE5AE4EFC3580D59A41916FF7B
                                                                                                  SHA-512:B614037FB1C7D19D704BF15F355672114D25080223E7EE4424AD2CB7B89782219E7877B373BBC7FA44F3AD8DF8A27EEF4E8CCC765D44EC02A61E3B7FAE88AE69
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:CMMM ...................

                                                                                                  C:\Users\Default\AppData\Roaming\AnyDesk\ad_f45e5af2_msi\user.conf

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  File Type:ASCII text, with very long lines (494)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1003
                                                                                                  Entropy (8bit):4.272146434930785
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:snKdRX4kIXfQYE0UaOfWLp9YenKdRXN/KpgMx1IegS0Q:snoO8EXLoenovCgkbgS0Q
                                                                                                  MD5:40D53F102FE05CE9F6CBC83E95A60F7B
                                                                                                  SHA1:0F67CA901503D596B509CCBFADE22BCB946E9B83
                                                                                                  SHA-256:2894987DC9ABD4DA727CB8A88ADE0F666447F60F0E3D8A73A5A3C01797DC8D6B
                                                                                                  SHA-512:682611015048D4FD82E3DD1F9BD53FF1AAE2C7EEE1495567CF3CD462C996A323E05201648E8A971AA1D16F84D98B494A34221B20EED9BA6F3CCE0D6BA0CA2E72
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:ad.invite.created_list_encrypted=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da4707bf190d195af18f24402907d20d310bf648310f1fa2df0b53d2e90e4e008262013ecaea92c21d50845abbee6d36826c024255a450207ff8f597541405ab110be34e5571fec27374ab0862b47b212f41cf5778b89c1c51d9fb0c57f7076fb81ee1ed9fe6634f3615b328726436d81ed09cdbecc08e5470f0d9e37420cc407b20e97417710a0382dc07806804e9c423c65e2820fcd6c0bfd865919f74d1323433eb3d8f83720ad42fce57cd23ef58192168c3571aebfa68426b9d0580b44430457d1295e93e6f73a46430ff5b1e.ad.invite.received_list_encrypted=6fa74c609a01f31f1f670668df954f4642a4aae8018a18da4707bf190d195af18f24402907d20d310bf648310f1fa2df0b53d2e90e4e008262013ecaea922569741ce2da39d6bd91466e0ccd255867ea743ad4fca23b88b37aecd04a60eec27374ab0862b47b212f41cf5778b89cdd6fe779ee607f6633062ef01d85a3bd4bb53af87c5635a1b2aa44391048b5675470f0d9c09a0ec3301b2cd04b7e78e658cc949f806804e9ea48f4f189175a93a0e9c53aff24256bcda80a0d53cfa73b79ea62dae3e187f39f08965b1564acddab8cce1f1bbfe005c7918330ec3d92478e2b8de67a45fa23.ad.ui.lang=

                                                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2185
                                                                                                  Entropy (8bit):5.367446816394887
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTH3:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwmG
                                                                                                  MD5:EBD2500EFFB5FA5D3015D4BAAF44E181
                                                                                                  SHA1:85D657B7B3E9A2C416AB569056C33E44948BAEDC
                                                                                                  SHA-256:8B48A51506E63EB4124333588BD239DB9245B2C83454E6BA30C19387628AEFF5
                                                                                                  SHA-512:B31847112BA1BAD13818FDF059D41B95B85605FABBE1EF606863957E4395D635AF29080A5AA7A8F6A88452BFDC445BD6DB2D14872302A91D53EFC8EA7D247832
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                  C:\Windows\Installer\67ba71.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {352F53AF-93CF-49B0-A97C-42FE183A477F}, Create Time/Date: Mon Mar 16 10:59:40 2020, Last Saved Time/Date: Mon Mar 16 10:59:40 2020, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):634880
                                                                                                  Entropy (8bit):7.58991808861058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:Iwdvg7+Cq7zs913vtwSI1hFO0pSuw5+8jOZy2KsGU6a4Ksw:Iwvs913vtzOhwVuahOE2Z34KV
                                                                                                  MD5:3F3CD65706B50287FD2BA986DACD6CB0
                                                                                                  SHA1:856D68EAA9EC542C2D9A5229BFEB97F16470CCA9
                                                                                                  SHA-256:5DDC52155A66F0D761D56269200A4D0DE19A4C4C1FFB20AAD9757F0F3CE5C049
                                                                                                  SHA-512:E2F75BF6B44F2FE9B3F6CD8BD9308A707186599AE76FE1370545853ACCD67EB68C51C2CD71653B86B447822514C06D3158FC30076BF859CF540EA4ECC36138F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\67ba73.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {352F53AF-93CF-49B0-A97C-42FE183A477F}, Create Time/Date: Mon Mar 16 10:59:40 2020, Last Saved Time/Date: Mon Mar 16 10:59:40 2020, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):634880
                                                                                                  Entropy (8bit):7.58991808861058
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:Iwdvg7+Cq7zs913vtwSI1hFO0pSuw5+8jOZy2KsGU6a4Ksw:Iwvs913vtzOhwVuahOE2Z34KV
                                                                                                  MD5:3F3CD65706B50287FD2BA986DACD6CB0
                                                                                                  SHA1:856D68EAA9EC542C2D9A5229BFEB97F16470CCA9
                                                                                                  SHA-256:5DDC52155A66F0D761D56269200A4D0DE19A4C4C1FFB20AAD9757F0F3CE5C049
                                                                                                  SHA-512:E2F75BF6B44F2FE9B3F6CD8BD9308A707186599AE76FE1370545853ACCD67EB68C51C2CD71653B86B447822514C06D3158FC30076BF859CF540EA4ECC36138F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\67ba74.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AnyDesk Custom Client, Author: Anydesk Software GmbH, Keywords: Installer, Comments: This installer database contains the logic and data required to install AnyDesk Custom Client., Template: Intel;1033, Revision Number: {628CD9B4-A962-4498-B76B-D464D49A354A}, Create Time/Date: Thu Aug 29 00:38:02 2024, Last Saved Time/Date: Thu Aug 29 00:38:02 2024, Number of Pages: 100, Number of Words: 2, Name of Creating Application: Windows Installer XML (), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8057344
                                                                                                  Entropy (8bit):7.988953383231983
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:196608:OILymQxPL57QTIagWYNK4SCwojU9WAVxeIMK4+q4/40qZdRg:TapCk4YNKroId4zLD0qZ
                                                                                                  MD5:383BFB6F7210EBC9DC025754987B53B0
                                                                                                  SHA1:93FD6096C8DB53F25B16662B270D48814D6166DD
                                                                                                  SHA-256:8DAEF36F8974C24D0FA70124B9EDCEB1162BBFDF95939A905F6D95F3F80B72DB
                                                                                                  SHA-512:AF73AA9E77EDC5F4D3E694E6AE42F209CE676F4C437EA0C4E4D21E4FFA291F2B3C8871FFC2E14C72440F5657258517C3526444AF9700BE4C20167303BC3893E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...................{........................6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........a=......O=..L=...................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                  C:\Windows\Installer\67ba77.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AnyDesk Custom Client, Author: Anydesk Software GmbH, Keywords: Installer, Comments: This installer database contains the logic and data required to install AnyDesk Custom Client., Template: Intel;1033, Revision Number: {628CD9B4-A962-4498-B76B-D464D49A354A}, Create Time/Date: Thu Aug 29 00:38:02 2024, Last Saved Time/Date: Thu Aug 29 00:38:02 2024, Number of Pages: 100, Number of Words: 2, Name of Creating Application: Windows Installer XML (), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8057344
                                                                                                  Entropy (8bit):7.988953383231983
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:196608:OILymQxPL57QTIagWYNK4SCwojU9WAVxeIMK4+q4/40qZdRg:TapCk4YNKroId4zLD0qZ
                                                                                                  MD5:383BFB6F7210EBC9DC025754987B53B0
                                                                                                  SHA1:93FD6096C8DB53F25B16662B270D48814D6166DD
                                                                                                  SHA-256:8DAEF36F8974C24D0FA70124B9EDCEB1162BBFDF95939A905F6D95F3F80B72DB
                                                                                                  SHA-512:AF73AA9E77EDC5F4D3E694E6AE42F209CE676F4C437EA0C4E4D21E4FFA291F2B3C8871FFC2E14C72440F5657258517C3526444AF9700BE4C20167303BC3893E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...................{........................6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........a=......O=..L=...................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                  C:\Windows\Installer\67ba78.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {2D689290-A367-4547-AD1E-5C025376FB63}, Create Time/Date: Mon Mar 16 10:59:42 2020, Last Saved Time/Date: Mon Mar 16 10:59:42 2020, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):638976
                                                                                                  Entropy (8bit):7.5889190112758556
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:5wdvg7+Cq7zs913vtwSI1hFO0pSuwu+8jOZy2KsGU6a4KsU:5wvs913vtzOhwVuFhOE2Z34KF
                                                                                                  MD5:F33B8E1AAC1CD66702FFD955C80DF40D
                                                                                                  SHA1:B2262879F16CF1B3A75205DA9A2F99849B01C91F
                                                                                                  SHA-256:DD95DE7B329024C33F2793227585AA185D2C1E32AF4B6D972507E123851D9EEA
                                                                                                  SHA-512:2F81AA584363A2C9A6911136BFCB0AEB1C4FEA54C41DB51FD17D11379D1CD6C51940825DC5827E998FDB9B2461F49DA3D2B653A4469D55FC7F2699A921DD89B5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\67ba82.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {2D689290-A367-4547-AD1E-5C025376FB63}, Create Time/Date: Mon Mar 16 10:59:42 2020, Last Saved Time/Date: Mon Mar 16 10:59:42 2020, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):638976
                                                                                                  Entropy (8bit):7.5889190112758556
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:5wdvg7+Cq7zs913vtwSI1hFO0pSuwu+8jOZy2KsGU6a4KsU:5wvs913vtzOhwVuFhOE2Z34KF
                                                                                                  MD5:F33B8E1AAC1CD66702FFD955C80DF40D
                                                                                                  SHA1:B2262879F16CF1B3A75205DA9A2F99849B01C91F
                                                                                                  SHA-256:DD95DE7B329024C33F2793227585AA185D2C1E32AF4B6D972507E123851D9EEA
                                                                                                  SHA-512:2F81AA584363A2C9A6911136BFCB0AEB1C4FEA54C41DB51FD17D11379D1CD6C51940825DC5827E998FDB9B2461F49DA3D2B653A4469D55FC7F2699A921DD89B5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\67ba83.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.32 (x64)., Template: x64;1033, Revision Number: {81A6B662-3AB0-42DC-AE22-74E8036F80FA}, Create Time/Date: Sun Jun 16 06:00:54 2024, Last Saved Time/Date: Sun Jun 16 06:00:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27222016
                                                                                                  Entropy (8bit):7.99350983480325
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:786432:xUjjZm/yN+5DsfeR/WZGvLF3bApyMYhKj:xS4/yN+NsG/WZQF3EpJYhK
                                                                                                  MD5:4E9EB394F40E78755FA76E67F9190CD0
                                                                                                  SHA1:36310C7F007992D911E8402E4AA34A2BB1682063
                                                                                                  SHA-256:8701E309396C5232A4FE1606C6E3549134FE01DC0D9FE4A74CB9D26531DDD9A4
                                                                                                  SHA-512:2CB71F44E7BBA16143120512718DD128185A5063BA4767146D10C93B81B6CAA4226CFC30FA44B1E50EE41C37B55852E32EA63554FD438FB9ED60DE2CE93CA8E3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\67ba86.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Runtime - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Runtime - 6.0.32 (x64)., Template: x64;1033, Revision Number: {81A6B662-3AB0-42DC-AE22-74E8036F80FA}, Create Time/Date: Sun Jun 16 06:00:54 2024, Last Saved Time/Date: Sun Jun 16 06:00:54 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27222016
                                                                                                  Entropy (8bit):7.99350983480325
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:786432:xUjjZm/yN+5DsfeR/WZGvLF3bApyMYhKj:xS4/yN+NsG/WZQF3EpJYhK
                                                                                                  MD5:4E9EB394F40E78755FA76E67F9190CD0
                                                                                                  SHA1:36310C7F007992D911E8402E4AA34A2BB1682063
                                                                                                  SHA-256:8701E309396C5232A4FE1606C6E3549134FE01DC0D9FE4A74CB9D26531DDD9A4
                                                                                                  SHA-512:2CB71F44E7BBA16143120512718DD128185A5063BA4767146D10C93B81B6CAA4226CFC30FA44B1E50EE41C37B55852E32EA63554FD438FB9ED60DE2CE93CA8E3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\67ba87.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 6.0.32 (x64)., Template: x64;1033, Revision Number: {43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}, Create Time/Date: Sun Jun 16 06:00:06 2024, Last Saved Time/Date: Sun Jun 16 06:00:06 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):876544
                                                                                                  Entropy (8bit):6.767183882536547
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:219IeVsJxYRR3cqU8VKIvZUlkj/cBhZeK4lu/XdmYwh:2jIxCMHWvZgkjcDefMFmL
                                                                                                  MD5:46DB6C104F1B633927DEE575B5C38C0B
                                                                                                  SHA1:9D5E6CF836E28959181B855102E70F5A37550314
                                                                                                  SHA-256:2C8DFB556F4A6576205AF03F8D5E2F0A939395CA2DE6D69F06478B3008D1A2CE
                                                                                                  SHA-512:007877E08B1958FDC5FEC7DA9FE8AD1A678C2E59BF0B5F4B4080640C1FAB96A34F27AF81F5A733580E95B897D0E27E1C1FD45A4CA20A673A20F3331F3D5C2B62
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\67ba8a.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft .NET Host FX Resolver - 6.0.32 (x64), Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft .NET Host FX Resolver - 6.0.32 (x64)., Template: x64;1033, Revision Number: {43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}, Create Time/Date: Sun Jun 16 06:00:06 2024, Last Saved Time/Date: Sun Jun 16 06:00:06 2024, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):876544
                                                                                                  Entropy (8bit):6.767183882536547
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:219IeVsJxYRR3cqU8VKIvZUlkj/cBhZeK4lu/XdmYwh:2jIxCMHWvZgkjcDefMFmL
                                                                                                  MD5:46DB6C104F1B633927DEE575B5C38C0B
                                                                                                  SHA1:9D5E6CF836E28959181B855102E70F5A37550314
                                                                                                  SHA-256:2C8DFB556F4A6576205AF03F8D5E2F0A939395CA2DE6D69F06478B3008D1A2CE
                                                                                                  SHA-512:007877E08B1958FDC5FEC7DA9FE8AD1A678C2E59BF0B5F4B4080640C1FAB96A34F27AF81F5A733580E95B897D0E27E1C1FD45A4CA20A673A20F3331F3D5C2B62
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\67ba8d.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Wed Jul 24 16:38:14 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.0.1;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.0.1;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49613312
                                                                                                  Entropy (8bit):7.959491759228612
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:786432:/TVOuIdnXeYOf9QBOgMqoaen728gEb4dIgEdj8SmIqm50m:bVO+4bvXQ/mo50m
                                                                                                  MD5:639743F4492FEBF52CC9A446AB8F34E2
                                                                                                  SHA1:8486BE67E38B7FC0C12CEAD56A924F843296C02A
                                                                                                  SHA-256:2E9795EB82BDCC44F6535AEF7D06E60778DA018F849443C3B5E38D551CB2857F
                                                                                                  SHA-512:AA55D5EE9682F51B97165E3908AB26859EC9D8BD05D8679AB1B5BF3F5EDD9AAED35813C52C4D9B0C3C0343D838914790689911A435BDB8D3067892633A9316A1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;...................eu.............................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...0...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y...Mt..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                  C:\Windows\Installer\67ba90.msi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 936, Title: Installation Database, Subject: Splashtop Streamer, Author: Splashtop Inc., Keywords: Installer,MSI,Database, Comments: Splashtop Streamer Installer, Create Time/Date: Wed Jul 24 16:38:14 2024, Name of Creating Application: InstallShield?2021 27, Security: 1, Template: Intel;0,1033,2052,1028,1036,1031,1040,1041,1042,1046,1049,1034, Last Saved By: Intel;2052, Revision Number: {B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.0.1;{B7C5EA94-B96A-41F5-BE95-25D78B486678}3.7.0.1;{001F085C-058A-480B-AD56-2940B857C38D}, Number of Pages: 200, Number of Characters: 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49613312
                                                                                                  Entropy (8bit):7.959491759228612
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:786432:/TVOuIdnXeYOf9QBOgMqoaen728gEb4dIgEdj8SmIqm50m:bVO+4bvXQ/mo50m
                                                                                                  MD5:639743F4492FEBF52CC9A446AB8F34E2
                                                                                                  SHA1:8486BE67E38B7FC0C12CEAD56A924F843296C02A
                                                                                                  SHA-256:2E9795EB82BDCC44F6535AEF7D06E60778DA018F849443C3B5E38D551CB2857F
                                                                                                  SHA-512:AA55D5EE9682F51B97165E3908AB26859EC9D8BD05D8679AB1B5BF3F5EDD9AAED35813C52C4D9B0C3C0343D838914790689911A435BDB8D3067892633A9316A1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...................................8........6........................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-......./.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........;...................eu.............................................................................................. ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...B...M...:...<.......=...........@...A...0...C...D...E...F...G...H...I...J...N...L...........O...P...Q...R...S...T...U...Z...W...X...Y...Mt..[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                  C:\Windows\Installer\MSI17F9.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):250736
                                                                                                  Entropy (8bit):6.765155684437659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                  MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                  SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                  SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                  SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI1D88.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):250736
                                                                                                  Entropy (8bit):6.765155684437659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                  MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                  SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                  SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                  SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI1F0F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2805
                                                                                                  Entropy (8bit):5.7663607152705065
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:sLbin8264hpnUHMb6P3hvKhG1kfCbD8SuhM4DdeU1DvnKhXyDZkeEVlttyXcXo:sLbnfOaHPU4RFY/pe6rRDZkeEPk
                                                                                                  MD5:1D60A31939D34623C133E0081F533C34
                                                                                                  SHA1:AF22977EE6A7A8DCFB4AE096A6074B18ACCFF847
                                                                                                  SHA-256:E59451B624A7FBB5896B108F31F32FF73F0FBBAF6D4194FD10E5987D6BA2A5AB
                                                                                                  SHA-512:5506DD758367A50B12E417E5E044B1580BFF27984E2627EBE29AF70F3819BFEF217C180CDB2C98414CB2E254241BDF96811A94FFD9B882D3BC7783BF13DBE066
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@(E$Y.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{E116E585-E2CE-5BAC-A645-7047860785B2}W.02:\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.128.16743_x64\Version.@.......@.....@.....@......&.{0AC899A6-3CC6-559F-9577-67925851F466}3.C:\Program Files\dotnet\host\fxr\6.0.32\hostfxr.dll.@.......@.....@.....@......&.{8EC524B8-7864-5ACE-B320-2D36216EBC12}?.02:\SOFTWARE\dotnet\Setup\InstalledVersions\x64\hostfxr\Version.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Dir

                                                                                                  C:\Windows\Installer\MSI20C6.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):250736
                                                                                                  Entropy (8bit):6.765155684437659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                  MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                  SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                  SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                  SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI273F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):250736
                                                                                                  Entropy (8bit):6.765155684437659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                  MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                  SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                  SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                  SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI279E.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):732
                                                                                                  Entropy (8bit):5.4733719716419005
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:Eg80LBN30/W4rVwZmj//430/Wi/fNEhHmX/qHXZNDUSEMszVltNnHWYCMeSL:U0LBN3f4rQmjo3f/QXkXZIMEVlt1JRXL
                                                                                                  MD5:A4FB06EFF5BA21DB9D79EAC829828318
                                                                                                  SHA1:7AEF67E5B4AFCD9429FE03C9B60EDC7205BB5FBF
                                                                                                  SHA-256:56A1E270EFF62921EA5C83F8D6B5060DA63975670E6AA6D2BA46F8A4BDF81755
                                                                                                  SHA-512:EC9D82D856C8CABF3256960BE1A08522B4C3238C1611D0749B6E5337E0AE89D155A72B12BD18E9CACD8C9AD652D5158C36A2F00B535F976EA488A203CBA5EA65
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@)E$Y.@.....@.....@.....@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}..Microsoft .NET Host FX Resolver - 6.0.32 (x64)!.dotnet-hostfxr-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{43DA5864-E85C-44A5-B8EC-4BB554FA8AFC}.....@.....@.....@.....@.......@.....@.....@.......@......Microsoft .NET Host FX Resolver - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........RegisterProduct..Registering product..[1]i...0......PublishProduct..Publishing product information.......@.....@.....@......&.{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}Q.C:\ProgramData\Package Cache\{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}v48.128.16743\...@.....@.....@....

                                                                                                  C:\Windows\Installer\MSI286A.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):250736
                                                                                                  Entropy (8bit):6.765155684437659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                  MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                  SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                  SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                  SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI286F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4233382
                                                                                                  Entropy (8bit):7.972939282828941
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:9tc/iNuKEElj7Ssx6zXKJr9aEpaDwvVvtUD+yzOrf+AGUniav4Xbb3Kw:9q+LE4dxmoMWAwvNtmOBGPXPN
                                                                                                  MD5:92856BAC58AE545F55E2BA13A022F2E3
                                                                                                  SHA1:B678F5DEF71E05C1BC9BBFFAEF49BF7233EF4547
                                                                                                  SHA-256:D9589A45B8333C0B299B863154101254CC41DEDAF0ED1B0E27EC5416D8F449D6
                                                                                                  SHA-512:D67DCEAB51C36494C659F4B11D83FD06C21509A7868CE4FC28CB978797F3B39C212A72222774DAC1ED068F16D7F468CDCCDD9FA6FFC5932EA31546619E7D2D9A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.E$Y.@.....@.....@.....@.....@.....@......&.{96B92DFA-81A3-4790-BDF9-3D28564F56E6}..AnyDesk Custom Client..AnyDesk-CM.msi.@.....@.....@.....@......AnyDesk.ico..&.{628CD9B4-A962-4498-B76B-D464D49A354A}.....@.....@.....@.....@.......@.....@.....@.......@......AnyDesk Custom Client......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{9EA3C554-32AD-5C8C-BF7A-E4507A06D537}D.C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe.@.......@.....@.....@......&.{6F8FD6FB-3EBA-5393-8B6B-42068095D099}/.02:\Software\AnyDesk-f45e5af2_msi\MenuInstalled.@.......@.....@.....@......&.{082057A4-D7E9-5192-980F-6C66827AAE0D}..00:\AnyDesk\.@.......@.....@.....@........InstallFiles..Copying new files&.File: [1], Directory: [9], Size: [6]...@P.;..@.....@......,.C:\Program Files (x86)\AnyDesk-f45e5af2_msi\..!.1\b58p4pus\|AnyDesk-f45e5af2_msi\....

                                                                                                  C:\Windows\Installer\MSI28BE.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):159232
                                                                                                  Entropy (8bit):6.502739721653812
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:aJqCsjr+AtNOLtIWM+ZlV6ZmyJPeYuv/ePdifw4PGHHXtRBgS1RHS/gAMXnO2X+g:gO+ENIIWM+lKek17yd2X+VLnOkyqE
                                                                                                  MD5:84FE6543A5357793615375E62914C76A
                                                                                                  SHA1:3E80ECBC17359E2A5D6691ABB86F1E6526E1D980
                                                                                                  SHA-256:E8BE4BEBBEC150DEA0FFFE4AD32DD4B7F2A2CEE317EFB3FE8F127E49E64794E7
                                                                                                  SHA-512:F666166006C3C8D54FD42B09777DD3039244FBE9F48E5D1A76259B35C5EB8490D7DEA868CA7080C9E8F04FFCA395A0C028A2D86AE5BFD2B7DBDF8A2D555B71E1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.#...p...p...p.B.p...p.B.p...p.B.p...p.h.p...p.h.p...p...pS..p.f,p...p.f.p...p.f.p...p.f.p...pRich...p........PE..L.....7M...........!.....4...b......G........P......................................}.....@..........................>......./...................................... ................................5..@............................................text....2.......4.................. ..`.data....<...P.......8..............@....rsrc................H..............@..@.reloc........... ...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2B7F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):159232
                                                                                                  Entropy (8bit):6.502739721653812
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:aJqCsjr+AtNOLtIWM+ZlV6ZmyJPeYuv/ePdifw4PGHHXtRBgS1RHS/gAMXnO2X+g:gO+ENIIWM+lKek17yd2X+VLnOkyqE
                                                                                                  MD5:84FE6543A5357793615375E62914C76A
                                                                                                  SHA1:3E80ECBC17359E2A5D6691ABB86F1E6526E1D980
                                                                                                  SHA-256:E8BE4BEBBEC150DEA0FFFE4AD32DD4B7F2A2CEE317EFB3FE8F127E49E64794E7
                                                                                                  SHA-512:F666166006C3C8D54FD42B09777DD3039244FBE9F48E5D1A76259B35C5EB8490D7DEA868CA7080C9E8F04FFCA395A0C028A2D86AE5BFD2B7DBDF8A2D555B71E1
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.#...p...p...p.B.p...p.B.p...p.B.p...p.h.p...p.h.p...p...pS..p.f,p...p.f.p...p.f.p...p.f.p...pRich...p........PE..L.....7M...........!.....4...b......G........P......................................}.....@..........................>......./...................................... ................................5..@............................................text....2.......4.................. ..`.data....<...P.......8..............@....rsrc................H..............@..@.reloc........... ...N..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2DF9.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):182768
                                                                                                  Entropy (8bit):6.29474871459677
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:M3hCcV2YVWR8xSSIqeCjEIz+hZvgvE5Q+yq8MPdJ0xH:ErTz9Pj/Ag/+XPw
                                                                                                  MD5:9ED1749276D20BE78D5E7A30D658C484
                                                                                                  SHA1:EAAEA2656A63366A888955CE030E091FEA70F0F6
                                                                                                  SHA-256:61F398C652504FEE07AF12AC50D4A70ECFF641234A4EDA59C68EC937B6D80C96
                                                                                                  SHA-512:33ACF0BDBD1F33526D348A47BC00963843FC72EB203DF07D0136110109C892FB20AA9D3147204F958B95D750F7F98EB5DF3C387ED4B8802B7F929F201B41E90F
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x......................K.......................n...............nz.....K.......K.......K.........T.....K.......Rich....................PE..L....7.d...........!.................................................................I....@..........................E..a....6..........p................-......t...................................h...@............................................text............................... ..`.rdata..............................@..@.data...41...P.......:..............@....rsrc...p............L..............@..@.reloc...H.......J...R..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI2E48.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):171064
                                                                                                  Entropy (8bit):6.093983981233022
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:jq44uv69SIrScxe0IZNJ+x+uk+hZPDFNkXAO4VR:jfn2Slcxe0Fc9CcQO2
                                                                                                  MD5:E80F90724939D4F85FC49DE2460B94B5
                                                                                                  SHA1:512EA4DEBA1C97CC7EC394BCE0E4A32CD497176E
                                                                                                  SHA-256:8041D3CCBAFA491D35F70030C3AFEBA683B0235BED24F242878D04C7E87B8687
                                                                                                  SHA-512:9494F1CD058DC3923E4F562D8ED2EDF3D252F519EFC6DB4F1B5289D8A1B841A6CB927E14D33DAB98E0BD4D22A5A473B8CD9424F77213527FBE0C183126356767
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._`,"..Bq..Bq..Bq..q..Bq<.q..Bq..q..Bq..q/.Bq..qh.Bq.y.q..Bq.y.q..Bq..Cq..Bq..q..Bq..q..Bq..q..Bq...q..Bq..q..BqRich..Bq........PE..L...`.a...........!.....p...$.....................................................P...................................m............`..p............x..8$...p.. .......................................@............................................text....o.......p.................. ..`.rdata..M............t..............@..@.data....1... ......................@....rsrc...p....`.......$..............@..@.reloc...L...p...N...*..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI3166.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI45D9.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI481C.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):563441
                                                                                                  Entropy (8bit):5.784178337661267
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:rw7f7f8m8end5Xy+1kvI8k9W91iVXuXskIh+:ryh8edk+1kv5K+Wh+
                                                                                                  MD5:A5C3A5781FA3CBE364CBF78094CA0B39
                                                                                                  SHA1:F960EFB059AF132335F351A17B89EF70171E762B
                                                                                                  SHA-256:97CE2A47005C31497435CF13206FC6B374866A3660B9630068D29F61572E6478
                                                                                                  SHA-512:8D12B00D315984BE47BBA2466F3EE9575E1A759E5F826B2322442F9900A2162C4D070A617254E68C8F45B092198ADBDF32BB020D11C802E078101F3EB869D2F9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@-E$Y.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@.....@.....@.]....&.{3D8827C3-3F73-4AD7-9420-7CA93653C8F2}2.C:\Program Files (x86)\Splashtop\Splashtop Remote\.@.......@.....@.....@......&.{61B538AB-B209-C01B-F95C-B0A0531054D2}M.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm.@.......@.....@.....@......&.{3742F778-8BAC-9729-A5BE-712DA9BEB95A}@.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\.@.......@.....@.....@......&.{ADBB7064-411F-E593-D901-EACB3BA8154E}Z.C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_dr

                                                                                                  C:\Windows\Installer\MSI8286.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14149796
                                                                                                  Entropy (8bit):7.5770845525077
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:393216:TBdi+17iaOtGxBdi+17iaOtGwBdi+17iaOtGX:l7ZOt07ZOtL7ZOti
                                                                                                  MD5:9B7447F32126B90842C529E596D15481
                                                                                                  SHA1:3CFF66403CDA6EFAD36ECC24ADAA8188DE261B1A
                                                                                                  SHA-256:54144F8620ED57F66E7889B8CC9D74B5FADE60E3ADEBCF1E463CA14D98069BC8
                                                                                                  SHA-512:BB820572BCDBC1620642CF744C447619F280D39CD9C2B08A89014FBEE910558D1C9992E62D698682DDE15CB7751F0A30EEA79D614DB2285A5FC65322749C1201
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@5E$Y.@.....@.....@.....@.....@.....@......&.{B7C5EA94-B96A-41F5-BE95-25D78B486678}..Splashtop Streamer..setup.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{1FFB34B4-02B4-4EEE-ACA4-24941A8EDEE5}.....@.....@.....@.....@.......@.....@.....@.......@......Splashtop Streamer......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........Util_UpdateSetting....J...Util_UpdateSetting.@......+.G.MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f...

                                                                                                  C:\Windows\Installer\MSI8537.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI9AE3.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2616
                                                                                                  Entropy (8bit):5.760303091915571
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:UnGredsyrlsTT8qUYFT8lQCGQfJ8W4io8DtoGSXPZ67I8cQ9PMwEVltMO:UGry/rlR8ESIyJkEZc0wEPR
                                                                                                  MD5:2847CB88349F821824F835BDF642F65C
                                                                                                  SHA1:8C48009F9EF367DEA6CA706BFE35D966CB553D85
                                                                                                  SHA-256:2FD5F577C6625D3BD9682FA7B853E857B9BC6C93C68A4D91B0A200A503761950
                                                                                                  SHA-512:B8EBBE50F21830F862D432985F039B1298096996DE21243E04F5FB28EA6305BFBF16744FE959A65C8FCEFCD9B424DD1C06EF99827184829D1B9D3427D6A66B56
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI9AE3.tmp, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.E$Y.@.....@.....@.....@.....@.....@......&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}..AteraAgent8.SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi.@.....@.....@.....@........&.{352F53AF-93CF-49B0-A97C-42FE183A477F}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{352F53AF-93CF-49B0-A97C-42FE183A477F}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraService....J...StopAteraService.@b...1.C:\Program Files (x86)\ATERA Networks\AteraAgent\..NET STOP AteraAgent....KillAteraTask....J...KillAteraTask.@b...1.C:\Program Files (x86)\ATERA Networks\AteraAgent\..taskkill /f /im AteraAgent.exe....ProcessComponents..Updating component registration.....@.....@.....@.]....&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}..&.{F7DFE9BA-9FAD-1

                                                                                                  C:\Windows\Installer\MSI9AF4.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSI9E0F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):4716331
                                                                                                  Entropy (8bit):7.577108587755452
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:k3H5BNwueVRfsqc+cCD+EATIStpnSbkGPCpt4a3yRJbs4OIM5:k3H5BNMsNi+pn7d4aOtGZ
                                                                                                  MD5:ED1AD76A6A0B2F8A3D9819256297FD89
                                                                                                  SHA1:9B1773C2D4D2ABE0DB5A5D72746ECD4F28F81EDC
                                                                                                  SHA-256:377EF03FDDCD6B14A3C93D8C574A16091590008B6D4149F9CE4A7ECAD7008B92
                                                                                                  SHA-512:9B7D2E9D56674971580A22C912B858FCB305D1DC19CC6F8087C11FFC161D2D97338F7DF1C73C586E6ABC763A3673D2795EFB1B0A7A657A4CFDD68C57AA640DBB
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........h.[...[...[....;..R....:..C....;..Z....:.......:..........\.......Z......^.......L...[........;..#....;..Z....;..Z...[...Z....;..Z...Rich[...........PE..L....;.d...........!.....l...........[....................................................@.............................g;...a.......p.......................P...7......8............................ ..@...............H...H\.......................text...2f.......h.................. ..`.orpc... ............l.............. ..`.rdata..w3.......4...p..............@..@.data...............................@....rsrc........p......................@..@.reloc..f(...P...*...r..............@..B........................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIBBD8.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3734
                                                                                                  Entropy (8bit):5.719912116254478
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:3GrZHeXE9cT+tRbRyl5e6k4cPbLEPirun6/:3K/cT+/Ryl5e6hczLWBn6/
                                                                                                  MD5:63F8E1270FF800AB9FB64181927C3D4C
                                                                                                  SHA1:C69B49857EC3AABE9B9018CA49F325BB7D5C2783
                                                                                                  SHA-256:1C549C34B8787B047CD54613A8F4389E736DC992C889765EB5EB1D68BAD35630
                                                                                                  SHA-512:762AAC6E6C958424209C055FF2AE63D4F34366FAD871E80D4E0039409741208AEA3689F45D34C6E74FCE347300AB3829C9151C15FD149DDA007594A2D575B7F0
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIBBD8.tmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIBBD8.tmp, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.D$Y.@.....@.....@.....@.....@.....@......&.{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}..AteraAgent8.SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi.@.....@.....@.....@........&.{352F53AF-93CF-49B0-A97C-42FE183A477F}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraService....J...StopAteraService.@b...1.C:\Program Files (x86)\ATERA Networks\AteraAgent\..NET STOP AteraAgent....KillAteraTask....J...KillAteraTask.@b...1.C:\Program Files (x86)\ATERA Networks\AteraAgent\..taskkill /f /im AteraAgent.exe....ProcessComponents..Updating component registration.....@.....@.....@.]....&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}..C:\.@.......@.....@.....@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}?.C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.@.......@.....@.....@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}F.C:\Program Fi

                                                                                                  C:\Windows\Installer\MSIBBF9.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIC476.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3617
                                                                                                  Entropy (8bit):5.713823914030879
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:lLoGXS/l9Q1T+tRbRyl5e6tjZ9PbLEPiK1MP:ZZi81T+/Ryl5e6/9zLWivP
                                                                                                  MD5:82201061F625CF5CA8F83524ECB5B43A
                                                                                                  SHA1:3E8D70747CFB75EEB7332854A6645062323E80D4
                                                                                                  SHA-256:48682A8DFFE35543D962C40DD623149D1EE0D786293F3E2342211B93E31B3128
                                                                                                  SHA-512:AA929E24EF713DA67E4D18317A27250C6141E8F35E7969CB14F9E0E3C01304DF5B884A3F7B9C69F7C6D2CDA2D7AC686B5893DB9FDAFDD4872C95AD05344123EF
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIC476.tmp, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@.E$Y.@.....@.....@.....@.....@.....@......&.{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}..AteraAgent..ateraAgentSetup64_1_8_0_4.msi.@.....@.....@.....@........&.{2D689290-A367-4547-AD1E-5C025376FB63}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraService....J...StopAteraService.@b...+.C:\Program Files\ATERA Networks\AteraAgent\..NET STOP AteraAgent....KillAteraTask....J...KillAteraTask.@b...+.C:\Program Files\ATERA Networks\AteraAgent\..taskkill /f /im AteraAgent.exe....ProcessComponents..Updating component registration.....@.....@.....@.]....&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}..C:\.@.......@.....@.....@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}9.C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.@.......@.....@.....@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}@.C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.

                                                                                                  C:\Windows\Installer\MSIC477.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):216496
                                                                                                  Entropy (8bit):6.646208142644182
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                  MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                  SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                  SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                  SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIF8F5.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):250736
                                                                                                  Entropy (8bit):6.765155684437659
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:hXiqyhTO8W0iEa8LW0bEC9hvZpC01v+eUKflQnZl+T+J7g6EsNr7wyy/EPzr9XA:hqhy8VKU3hvZUy+ppHEsuB/cBQ
                                                                                                  MD5:60E8C139E673B9EB49DC83718278BC88
                                                                                                  SHA1:00A3A9CD6D3A9F52628EA09C2E645FE56EE7CD56
                                                                                                  SHA-256:B181B6B4D69A53143A97A306919BA1ADBC0B036A48B6D1D41AE7A01E8EF286CB
                                                                                                  SHA-512:AC7CB86DBF3B86F00DA7B8A246A6C7EF65A6F1C8705EA07F9B90E494B6239FB9626B55EE872A9B7F16575A60C82E767AF228B8F018D4D7B9F783EFACCCA2B103
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x.....V...V...V:i.W...V:i.WR..V.q.W...V.q.W...V.q.W...V:i.W...V:i.W...V:i.W...V...V&..Vup.W...Vup.W...VupFV...V...V...Vup.W...VRich...V................PE..L......e...........!.....<...X......Q........P...........................................@..........................G.......L..........x............|..pW...........<..T............................<..@............P..0............................text....:.......<.................. ..`.rdata.......P.......@..............@..@.data...4$...`.......N..............@....rsrc...x............X..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\MSIFA1F.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):84904
                                                                                                  Entropy (8bit):5.647966686982303
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:0W7nUIYEPa1Q1rAEIeJU8Zg65Q+fUQxs+RQdBKvlH0Vjqgg1bcdv4Yu8EB5vv49L:97BiG+u1E
                                                                                                  MD5:B7F806E0B067B4ADCE7FC84586097EFD
                                                                                                  SHA1:1097DB891095E3EF7600306AA1A1281FE0E91F7A
                                                                                                  SHA-256:EA748645B5F18BD67ECCFE5B4A1AD9093CD0986791DAC80767BA9565DD90FB33
                                                                                                  SHA-512:93A5FF555ADDA98841F50ED627337D784C3BB2EB9BD3DDEBCE9B429C2B4A80D28F3E2CE52CB78C8D20C9D8045B18E9CEDCB16A89CF8F3E0F1A92287C17B178B2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:...@IXOS.@.....@$E$Y.@.....@.....@.....@.....@.....@......&.{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}%.Microsoft .NET Runtime - 6.0.32 (x64)!.dotnet-runtime-6.0.32-win-x64.msi.@.....@gA.0.@.....@........&.{81A6B662-3AB0-42DC-AE22-74E8036F80FA}.....@.....@.....@.....@.......@.....@.....@.......@....%.Microsoft .NET Runtime - 6.0.32 (x64)......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3B053811-15BE-513E-9DEC-B2B5C4918267}S.02:\Software\Classes\Installer\Dependencies\dotnet_runtime_48.128.16743_x64\Version.@.......@.....@.....@......&.{12C6BE75-4A6B-5D0E-8906-981484BEDEFB}D.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\.version.@.......@.....@.....@......&.{5B8B7A30-DD32-5F3F-BF38-4CDA80FF7B58}^.C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.32\api-ms-win-core-console-l1-1-0.dll.@.......@.....@.....@......&.{2D57BD37-A665-5E90-A9

                                                                                                  C:\Windows\Installer\SourceHash{3FDCF0A2-7C1F-41C7-9749-0D91EC216AED}

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.1738283751183585
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JSbX72Fj23iAGiLIlHVRpUh/7777777777777777777777777vDHF7DRONN/Xl0G:JBQI5ERRqF6F
                                                                                                  MD5:1B9CEAB6612623E3CFB22A1ADD018EB6
                                                                                                  SHA1:09688EE3E55872C46A52AAAAA0C74E3B5119153B
                                                                                                  SHA-256:F832FD9211D6C9F12F83EEEA0016801C7B37E49C787193E70EB3E34EEC6B40A4
                                                                                                  SHA-512:8DFA22207BB3FD0CC67EEB708E2DE54EE3DBE3118B8AFEA00E76287760C843D42EA7FDFF7928C73A0DC95EE8855C27A9BA7934A8116CE71F406A47C13D04BFA7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\SourceHash{667CB653-70E1-4E2B-9C8E-6A02A6CF88B9}

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.1752328817243125
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JSbX72Fj2ziAGiLIlHVRpUh/7777777777777777777777777vDHF2Vt/Xl0i8Q:J/QI5E2l6F
                                                                                                  MD5:753301AE0F75E52DD8C1C89A92EAA977
                                                                                                  SHA1:F73F6F4220E16AD2ECD1FAE0690589412A898D6E
                                                                                                  SHA-256:324FEC4827ADC5F206E670FFA4FEE493B4D97CCE81C607C3BC2AD3EAD9312FE4
                                                                                                  SHA-512:15EED3819EA940E019D64C3E02ED3DFF9E129CF680FC8034AC0117DAC25F17D8AA938925B37F11D6904B3455A9F588DA8E604387E4A56647E4BA018703D00191
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\SourceHash{96B92DFA-81A3-4790-BDF9-3D28564F56E6}

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.1646017785683034
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JSbX72FjMiAGiLIlHVRpZh/7777777777777777777777777vDHFlGkkPKit/l0G:JFQI5tRKbiF
                                                                                                  MD5:E0CF31A1750172C9D945FEE6572BDC8A
                                                                                                  SHA1:5210672B8491CC0EE8773E73785CB0179F51E33D
                                                                                                  SHA-256:8C8688342D0C554205E3B04B02EE410E520DAE7F7CD5B12BB086E7CDB7E79599
                                                                                                  SHA-512:5B083EBC6F25DEAA707C5BCC438823AF83B2E2E1A82A67102D25C0A9481AA582305F76E71D136BFC943A83E241B475D0D6E248DD5DABCA9BAA7C888B84BDECD3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\SourceHash{A42BE663-C45C-40E4-A3D1-0A14EC0FEB22}

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.192246250549211
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JSbX72FjtAGsXAlfLIlHmRpjh+7777777777777777777777777ZDHFhX9vwpQC4:J3AJUIYiLhwpQCI8F
                                                                                                  MD5:5027BBC492F4F179DD24DCB06DF4A7C1
                                                                                                  SHA1:549ADB8D45196F03378C932675B3870EDCDDB27D
                                                                                                  SHA-256:9ECD023B501BADBD0116E00240CE4F8ABDF76EDCF74FA61BE6758DAC871FABDB
                                                                                                  SHA-512:D197C8036AB66FF212BD590FF26A8287624773733353DEE4303F276F101B590D27E882259660E95CCB72181DAA53657C47F1CE5A02CAF6A17D055EFB531ED049
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):0.7681964647592033
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JSbX72FjEiAGiLIlHVRpMh/7777777777777777777777777vDHFYoZcb/mlp3Xz:JRQI5cSVq6F
                                                                                                  MD5:6AB1C3BED6AA96DE28B72722F26BCDBB
                                                                                                  SHA1:E9E4105A4A4A1C56FA007080E5458BCDCE50C1AC
                                                                                                  SHA-256:5DD4EE2035E09A692508551F95F8B2AC7DBBEFCC63DB1F2E9AF37707B2535CC8
                                                                                                  SHA-512:B7A96E3937A834227DABCA0E51F738E28D6F458CFC59B323798A113A499F5A4E11A6EFB41C9B0E61AB907526E01F59F274393F6154279F28DFCD372E969B938C
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\SourceHash{C6F34E57-AC44-4A26-8B0A-58CEA5E6725F}

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.1732283668482557
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:JSbX72Fj1XiAGiLIlHVRpIh/7777777777777777777777777vDHFKjSy75rl0i5:JnSQI5w8Z7MF
                                                                                                  MD5:07CAB29B25C8B4515585791873BE2DA8
                                                                                                  SHA1:829172F1AD8CEC2C0B10F7A70202ACEE19066FF1
                                                                                                  SHA-256:6542093B326F058F08186F8C6DC7B5616C17CEAD53207E215E20608473D36E3C
                                                                                                  SHA-512:0BF5F920E8E6A7288E070CC8E54809B27D297CBA17B7B1220B00BB629A4348C13B32C5B2C733D8A494273D9D1B9C2F8248F8756661585124C58440B07B80D463
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):147456
                                                                                                  Entropy (8bit):3.0953697801729434
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FpZz6zFooEd6QFo7KjJUFJ9yQscVU0r/l0az6zFooEd6QFo7KjJUFJ9yQscVU0r/:bZ2zOhUm44QdxOa2zOhUm44Qdx
                                                                                                  MD5:3D0247F81ED73ACE95F4DE15DF28216C
                                                                                                  SHA1:84CB859F84E3ED06554D9FE7A8DFD18DE8BCD5AC
                                                                                                  SHA-256:67B3B05702FBBB540D2F0E0822AEFA2C1374765183FA41C97EF7A4144A470C5F
                                                                                                  SHA-512:2E67363BC5FAC0E686387892CE5BBF9126905B66ADFD238447BF54A72E438420FC6BE5E575C37A386EAD5C73CE8D23DD907917949AD159A3B195016A76AE6863
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\{96B92DFA-81A3-4790-BDF9-3D28564F56E6}\AnyDesk.ico

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3910992
                                                                                                  Entropy (8bit):7.999062677756715
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:98304:wtc/iNuKEElj7Ssx6zXKJr9aEpaDwvVvtUD+yzOrf+AGUniav4Xbb+:wq+LE4dxmoMWAwvNtmOBGPXP+
                                                                                                  MD5:93B4FC0135DEBA59A7D1A59468FE2794
                                                                                                  SHA1:8604571FE2CC0E1B170A8C8E195F8625E804347A
                                                                                                  SHA-256:C4B75C7B1491F67ED2FCAFFC23FFA9A7D250AEDEC84B94285D6AD620220B0011
                                                                                                  SHA-512:7B34A5D70661A4A2F26AFEC0D7197739A9CCB47780E72CB76C3C0AB649BB05FDC71D6AB79F0D4F8E2FDFFFF3157129A113A449F21C11F33EFC4F8239521524A3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q.hU0.;U0.;U0.;:F#;V0.;:F";]0.;:F.;T0.;:F.;T0.;RichU0.;................PE..L....O.e.........."......*...0;..N..W6.......@....@.................................Y.<...@.............................................xH...........\;.HQ...........................................................................................text...5(.......*.................. ..`.itext...N...@...........................rdata..............................@..@.data.....:.......:..2..............@....rsrc...xH.......J....;.............@..@.reloc...............V;.............@..B.custom..............Z;................@................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):454656
                                                                                                  Entropy (8bit):5.348929773767357
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:D7f8m8end5Xy+1kvI8k9W91iVXuXskIhT:/h8edk+1kv5K+WhT
                                                                                                  MD5:149336F319D9AE2CA49E49FC61E834AC
                                                                                                  SHA1:E00591F432E8B306A349D76BF280736E4509E49F
                                                                                                  SHA-256:9E06D2D011DA7F988CF974584BB9F2D780D2460DAE92B02FF13F50FC2B3ED2E8
                                                                                                  SHA-512:BF7BC7C5FCD881C2A2E19914A0C3D765BED36D63C3FF0D60C07DA4CB8072F45DA3BC0DE7605BFE83B23E0572F1B700C0B613C049DC613F7470C095AE7EC9931D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L......a.................@...................P....@.........................................................................4T..(........^...........................................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....^.......`..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):363829
                                                                                                  Entropy (8bit):5.3654201184144945
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau9:zTtbmkExhMJCIpEM
                                                                                                  MD5:6497AF5772ED502DE151BD1E91DE6D89
                                                                                                  SHA1:A87BA356E79D976C50A1C3E28D23438FCA60D70F
                                                                                                  SHA-256:19BC3E899E6D3A0D5DBECA4A05965E14E9AA504A5D913DDA343BE6F0CA3A27D4
                                                                                                  SHA-512:51093FADF41A4A8DFE48F0EDABF7B469ADDA10500EFCEA306D5D221B17F1877FA4527BBB9C76E8E998F963092799E07B14FBB92AD5B48B9C02A782235CE152D2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                  C:\Windows\System32\InstallUtil.InstallLog

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):704
                                                                                                  Entropy (8bit):4.805280550692434
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                  MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                  SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                  SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                  SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:modified
                                                                                                  Size (bytes):1950
                                                                                                  Entropy (8bit):5.344231540116017
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT44HK28mHDp689:iqbYqGSI6oPtzHeqKkCq13qhA7qZ44qA
                                                                                                  MD5:2760599A0CED9D2591A6446C807AC183
                                                                                                  SHA1:707CA5CB792E58535BE74ACBDB629CD9A4837CF7
                                                                                                  SHA-256:E94621939545D2DFF125951E2C56BFB6B79C24D26744565CFA80D11875BB1D13
                                                                                                  SHA-512:6E510DCB3E81B1AE6910666FCADEAF9B40A8FEED3AD2F7F97D07BA428FA67348CFEDC3E55E12F43CAE5462243CBB42292F16570A696217F69F24369F040E078A
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1944
                                                                                                  Entropy (8bit):5.343420056309075
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                  MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                  SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                  SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                  SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1983
                                                                                                  Entropy (8bit):5.345248756179348
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                  MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                  SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                  SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                  SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:modified
                                                                                                  Size (bytes):1933
                                                                                                  Entropy (8bit):5.355086078533374
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HhHKe6PfHKWA1eXrHKlT44HK3:iqbYqGSI6oPtzHeqKk9Bq13qhA7qZ44y
                                                                                                  MD5:48BE58ECCC69A336811B1F7A06CBB42D
                                                                                                  SHA1:97487FBB71E394F03DBBAF0144B8ACF949BC8862
                                                                                                  SHA-256:33500DF352C1FB6D3D006FB32E0601EB89B52C79B5D5287213D082D9D19603C7
                                                                                                  SHA-512:0A6E33102F09C3F1C0D89D251511FE5FFA5AB153FC0ECE9284D7FAAE3682168717EDE437D761E4EC321D5971D50255D8D3406B63D1E964F5D72DD966C0D44878
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:modified
                                                                                                  Size (bytes):3043
                                                                                                  Entropy (8bit):5.361093730986187
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                  MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                  SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                  SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                  SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):847
                                                                                                  Entropy (8bit):5.354334472896228
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQwYHKGSI6oPtHTHhAHKKkb
                                                                                                  MD5:9F9FA9EFE67E9BBD165432FA39813EEA
                                                                                                  SHA1:6FE9587FB8B6D9FE9FA9ADE987CB8112C294247A
                                                                                                  SHA-256:4488EA75E0AC1E2DEB4B7FC35D304CAED2F877A7FB4CC6B8755AE13D709CF37B
                                                                                                  SHA-512:F4666179D760D32871DDF54700D6B283AD8DA82FA6B867A214557CBAB757F74ACDFCAD824FB188005C0CEF3B05BF2352B9CA51B2C55AECF762468BB8F5560DB3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..

                                                                                                  C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:CSV text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1075
                                                                                                  Entropy (8bit):5.353521172341231
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                  MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                  SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                  SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                  SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                  C:\Windows\Temp\AnyDesk-CM.msi

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AnyDesk Custom Client, Author: Anydesk Software GmbH, Keywords: Installer, Comments: This installer database contains the logic and data required to install AnyDesk Custom Client., Template: Intel;1033, Revision Number: {628CD9B4-A962-4498-B76B-D464D49A354A}, Create Time/Date: Thu Aug 29 00:38:02 2024, Last Saved Time/Date: Thu Aug 29 00:38:02 2024, Number of Pages: 100, Number of Words: 2, Name of Creating Application: Windows Installer XML (), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8057344
                                                                                                  Entropy (8bit):7.988953383231983
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:196608:OILymQxPL57QTIagWYNK4SCwojU9WAVxeIMK4+q4/40qZdRg:TapCk4YNKroId4zLD0qZ
                                                                                                  MD5:383BFB6F7210EBC9DC025754987B53B0
                                                                                                  SHA1:93FD6096C8DB53F25B16662B270D48814D6166DD
                                                                                                  SHA-256:8DAEF36F8974C24D0FA70124B9EDCEB1162BBFDF95939A905F6D95F3F80B72DB
                                                                                                  SHA-512:AF73AA9E77EDC5F4D3E694E6AE42F209CE676F4C437EA0C4E4D21E4FFA291F2B3C8871FFC2E14C72440F5657258517C3526444AF9700BE4C20167303BC3893E2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...................{........................6....................................................................................................................................................................................................................................................................... ... ...!...!..."..."...#...#...$...$...%...%...&...&...'...'...(...(...)...)...*...*...+...+...,...,...-...-.........../.../...0...0...1...1...2...2...3...3...4...4...5...5...6..........a=......O=..L=...................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                  C:\Windows\Temp\AteraSetupLog.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):204038
                                                                                                  Entropy (8bit):3.7734781961433916
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:qcBUBi6l1APOvoWaPNmrggCkE0n3dMJZGZ3vn9PKes6051mOACFcS7K7wjdAYdGR:qAnjk0je8aj8TQxLS0F/hN
                                                                                                  MD5:F8A095A95F8CEAB45CC810F7BE508508
                                                                                                  SHA1:82CFF5313EEC9D484054F1734858A47E9F3B1C9C
                                                                                                  SHA-256:28663D6A2DA7A220396504E367D273E432A56F03AF1961FDEFCCD6CD0296721C
                                                                                                  SHA-512:B930B311B8A503EC44E69E9BEE8A49EFFAE1BF51F5EF492CA9CA4540B662D63D6FFB7F6BD6AB93B36F013735A98A4B77C7431FC7E7971F2E9E2CC5C67BC48460
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.4./.0.9./.2.0.2.4. . .0.8.:.4.0.:.3.9. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.7.0.:.0.8.). .[.0.8.:.4.0.:.3.9.:.4.5.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.7.0.:.0.8.). .[.0.8.:.4.0.:.3.9.:.4.5.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.7.0.:.0.8.). .[.0.8.:.4.0.:.3.9.:.4.5.9.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.0._.4...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.7.0.:.0.8.). .[.0.8.:.4.0.:.

                                                                                                  C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240904084103_000_dotnet_runtime_6.0.32_win_x64.msi.log

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):566300
                                                                                                  Entropy (8bit):3.8473370822917596
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:rHrimjXxfPlESa2c0hn2FyZG6xxbmPX1JkcOM6+oNakWyaF/X7X1xGpfFNGbZvfd:bjmQY
                                                                                                  MD5:1E0FBCAFF2B4C5E6EF345D2F359C1455
                                                                                                  SHA1:B857DEEFFBC22FB04D8576D0850B81511D186603
                                                                                                  SHA-256:DBBFC27B22BD76FCB58AF94BD80FE5578E6DBA14F655CDD94C00BAF69AC74A07
                                                                                                  SHA-512:2E491079D50A8E96B1979518AC130D48A61CE72D6EA0166AE8C700857E1A390CEC399889666581A8E83067B7F9F7562BDB94D41ADB2ADAA612A0273AE4121E43
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240904084103_000_dotnet_runtime_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.4./.0.9./.2.0.2.4. . .0.8.:.4.1.:.0.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.5.4.5.D.0.E.F.6.-.1.F.2.B.-.4.B.0.A.-.9.C.6.A.-.F.7.4.3.4.6.4.1.8.1.4.7.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.2.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.B.8.:.1.0.). .[.0.8.:.4.1.:.0.4.:.3.9.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.B.8.:.1.0.). .[.0.8.:.4.1.:.0.4.:.3.9.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.B.8.:.1.0.). .[.0.8.:.4.1.:.0.4.:.3.9.7.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.3.F.D.C.F.0.A.2.-.7.C.1.F.-.4.1.C.7.-.9.7.4.9.-.0.D.9.1.E.C.2.1.6.A.E.D.}.v.4.8...1.2.8...1.6.7.4.3.\.d.

                                                                                                  C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240904084103_001_dotnet_hostfxr_6.0.32_win_x64.msi.log

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (400), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):99398
                                                                                                  Entropy (8bit):3.8002291575172826
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Mw/w39IlFQKHmkNW7goqiQAFzfj425xRO8EUC6cijGbYHg1V5TjjafZakrsq:M58jafZakYq
                                                                                                  MD5:A4510A1E5B9BAEE1BE40D0976BC9221C
                                                                                                  SHA1:2FDF3BF5D73D3BFDAAB42A65DC9BC7141416E167
                                                                                                  SHA-256:42F1C20CA42CF50BC104B008F7D7B28FB1868EE139D14EA8C8E927821779FD30
                                                                                                  SHA-512:9AA3FA31F699E49277D1A9AE9E0C6B06A328661C77A44CAB9BA01A5D615182197109269918BFA06733387F59B3D9E640995857D4CF44F0818E8E8650AA3058CD
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.32_(x64)_20240904084103_001_dotnet_hostfxr_6.0.32_win_x64.msi.log, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.4./.0.9./.2.0.2.4. . .0.8.:.4.1.:.1.4. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.5.4.5.D.0.E.F.6.-.1.F.2.B.-.4.B.0.A.-.9.C.6.A.-.F.7.4.3.4.6.4.1.8.1.4.7.}.\...b.e.\.d.o.t.n.e.t.-.r.u.n.t.i.m.e.-.6...0...3.2.-.w.i.n.-.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.B.8.:.A.8.). .[.0.8.:.4.1.:.1.4.:.9.1.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.B.8.:.A.8.). .[.0.8.:.4.1.:.1.4.:.9.1.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.B.8.:.A.8.). .[.0.8.:.4.1.:.1.4.:.9.1.2.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.6.6.7.C.B.6.5.3.-.7.0.E.1.-.4.E.2.B.-.9.C.8.E.-.6.A.0.2.A.6.C.F.8.8.B.9.}.v.4.8...1.2.8...1.6.7.4.3.\.d.

                                                                                                  C:\Windows\Temp\PreVer.log.txt

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with very long lines (523), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):507648
                                                                                                  Entropy (8bit):3.816968246910444
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:kjZXnEP0B39ciYS8XS3ghbfq5F9F9b5AxIu1oQ00xxWtcsl/r:
                                                                                                  MD5:33A1D544366984BAF51AF04845D4578D
                                                                                                  SHA1:513463A22E5C9736EFF994471AEB2702EE8E4862
                                                                                                  SHA-256:7035D2A5767B12B6B9C617CF2AE4452CA7D46D70014EECCD48E9696F7C75A4B1
                                                                                                  SHA-512:4E026BA4CFE826A8604F2991E3F0AFBE6757865A1C4A14F71E1B1864F1389E56AB24CA2B3F75CA971410D3D5D743FF306973CA2F0FF9CE4A56EC341497256B71
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .0.4./.0.9./.2.0.2.4. . .0.8.:.4.1.:.1.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.y.s.W.O.W.6.4.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.1.8.:.B.8.). .[.0.8.:.4.1.:.1.7.:.4.1.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.1.8.:.B.8.). .[.0.8.:.4.1.:.1.7.:.4.1.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.1.8.:.B.8.). .[.0.8.:.4.1.:.1.7.:.4.1.2.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .s.e.t.u.p...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.1.8.:.B.8.). .[.0.8.:.4.1.:.1.7.:.4.1.2.].:. .C.l.i.e.n.t.-.s.i.d.e. .a.n.d. .U.I. .i.s. .n.o.n.e. .

                                                                                                  C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):52853928
                                                                                                  Entropy (8bit):7.941280777334469
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:786432:iTVOuIdnXeYOf9QBOgMqoaen728gEb4dIgEdj8SmIqm50muEs:AVO+4bvXQ/mo50mhs
                                                                                                  MD5:7C4902773A19057DA00AA30C3D2EF267
                                                                                                  SHA1:175A455382D44852C57248C1F504EA056D514226
                                                                                                  SHA-256:E3F7DD9B306C06C128178B13FF641637CD50722BC92D38E368157FDE94470A58
                                                                                                  SHA-512:6A09E4DC54FE0B696EC46B7A47523DE4A951009AE527825D32D6828925C02B3EF0A629C97A0044812A4EC31C44E0E11E7D5FEFEDDD2883AD9842BAB9AE6347CA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{.}.(.}.(.}.(..8(.}.(.}.(...(..>(.}.(..((w}.(../(N}.(..!(.}.(..?(.}.(..:(.}.(Rich.}.(........PE..L...3..f............................./............@...................................&.....................................h........ ..(............T&..(..........`................................h..@...................$........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\ateraAgentSetup64_1_8_0_4.msi

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {2D689290-A367-4547-AD1E-5C025376FB63}, Create Time/Date: Mon Mar 16 10:59:42 2020, Last Saved Time/Date: Mon Mar 16 10:59:42 2020, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):638976
                                                                                                  Entropy (8bit):7.5889190112758556
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:5wdvg7+Cq7zs913vtwSI1hFO0pSuwu+8jOZy2KsGU6a4KsU:5wvs913vtzOhwVuFhOE2Z34KF
                                                                                                  MD5:F33B8E1AAC1CD66702FFD955C80DF40D
                                                                                                  SHA1:B2262879F16CF1B3A75205DA9A2F99849B01C91F
                                                                                                  SHA-256:DD95DE7B329024C33F2793227585AA185D2C1E32AF4B6D972507E123851D9EEA
                                                                                                  SHA-512:2F81AA584363A2C9A6911136BFCB0AEB1C4FEA54C41DB51FD17D11379D1CD6C51940825DC5827E998FDB9B2461F49DA3D2B653A4469D55FC7F2699A921DD89B5
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF0114A7EAEF71480F.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.6125110119564097
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Z8PhhuRc06WXJEjT5myVqISoedvPdvbXU6c9glnStedvPdv50ub:Uhh1HjT4yoIcEPuD
                                                                                                  MD5:33717E3E46D58B3E19E3A2A1C646B050
                                                                                                  SHA1:4175E4F920FEC6965868D46BFA79773E6F9687EA
                                                                                                  SHA-256:55F51C24C147E27042CC1761B02E02E92AA5E56D340217EFE00700C5F2513217
                                                                                                  SHA-512:3589A1C42EA3A6ACC5C6243382DAD5953B23D056C335EA92AA806CCFF56AD9F3B49B727273E34F02C8BF2FEE400D22ABD6ED990DD49B3609173F42265D1DA8CF
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0114A7EAEF71480F.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF0114A7EAEF71480F.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF0276B94610A49950.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2565426135002733
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:66ZuHrh8FXzZT5HdYm81fgSjnd/EqdcrWbQaSsndVWeUJ/J:ZZRnTLn81oIZcCNueA
                                                                                                  MD5:5AE55D03EB703CB68F05FDBCA01DACCD
                                                                                                  SHA1:5D65B3BEB13999C67CAFAB7FD2D348AD8D08410C
                                                                                                  SHA-256:FC7F2AF54DDE40BC5CE084B6FAF746E3601D7A5FFCA54DBA5B11D1EAA519F281
                                                                                                  SHA-512:EEE85552328B3385AC8AB49A3E9ECFBDE000495B9E7DADADC1843AAC78C6EBDA2FC665FD7B3D777A808D725CF9F8CADDFFA0E5F93268433263F010D923A25CCF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF02D57BAE8B0907B3.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.4255780398203413
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:98Ph/uRc06WXOGjT5upa8CUVSAqdGUDsaSIN8l:gh/1IjT0U8CUVeDl
                                                                                                  MD5:03757900B07886BB09CD7774EC9C9039
                                                                                                  SHA1:C27F32575A53932AB257A2C409B4D08ACD0C4FB7
                                                                                                  SHA-256:B2B878C61BA4C2474BDD4AC15852B4852121472BD5B7C4DF23B8C2D23CDF1151
                                                                                                  SHA-512:48889DF79A205118583EB19791A65F44C6B5052FB24C92F0DD54E2A9A040996DC1032D4B0A676B21B75F461DBB1A3392D00C731F5C957DDA0C5EE88FB06BE9F4
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF02D57BAE8B0907B3.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF05F955E4603CBCA5.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF07F72A87CEEC9336.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF09678FF130630BAE.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF13EF076BC6AACD88.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF159640244A9188B5.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF16E97591AF9E57D7.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2775982467018006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:2OLuXrh8FXzZT5b50dfqqmuSjndddwEqdGUDj0PbQiSsndddSE8Qq:RLlnTV50fqqmuf3DqNaQq
                                                                                                  MD5:4F0F5FC612368AA2881E3F468723891C
                                                                                                  SHA1:E43BF353574EC16D2B9D24D16EEA3AF61F2990A8
                                                                                                  SHA-256:A6CE4FEA8DA69112E750D80CF5FF8B9F794BB8E4D31F724BC738BF38D02BDBAF
                                                                                                  SHA-512:A12A8041CF7399FA45565663A591C875AA8DAD3DB33DF1FDBF639A8EB3D890362ADA341105105CF799C962FF2310354A73A4A7A833E3E25029D2734D7B2EF20C
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF16E97591AF9E57D7.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF1C011ABA9B3071CE.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.5702996571617849
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:28PhFuRc06WXz+jT5XidYm811i0Sjnd/EqdGUDj0PbQ6Ssnd/E8J:JhF1jjT5en811i0I3DqNP
                                                                                                  MD5:15194D93808925302558E04039F0659C
                                                                                                  SHA1:9C5C6E0FAFE17A655CD25ABDCCAE4880FCFB8122
                                                                                                  SHA-256:F38D476ECB127B13572C9CBB464F954A819027EE7CF5671FB99AB176212587A4
                                                                                                  SHA-512:B104B821393B604C015456EE9DFEBE247366945BDB2716EC3A467A6117A4A68F4EEA15C4F1625F6B13954C29DE936A5AED998E290CB3DA63353CDA6A2AB30BAF
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1C011ABA9B3071CE.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF20A7956A2F544243.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF211203521E827CF4.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.6004320040345241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:88PhTuRc06WXz+jT530dfqqmuSjndddwEqdGUDj0PbQiSsndddSE8Qq:ThT1jjTJ0fqqmuf3DqNaQq
                                                                                                  MD5:95A6D51978C6AB5D65C4B4990FE63406
                                                                                                  SHA1:DDFBC7A3D33EAC3C707A1EE2A9B85C5260DF9891
                                                                                                  SHA-256:C1D492C17E0FEBB4E9D6DEE52AEBF54152F5C903BC57FF0E77F0D1C2F96877DF
                                                                                                  SHA-512:A18D50B089DF03975272299067466539BD8F9D1E4B0B75FB64B2003A4D03D065533B89FF01C973914E56B3702A3E6B6B60E23E284DCAC28600A77292871844AA
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF211203521E827CF4.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF211203521E827CF4.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF21198E3CB7C20841.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF21F7EFC411081E97.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF24648D54C9A5BE6D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.4255780398203413
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:98Ph/uRc06WXOGjT5upa8CUVSAqdGUDsaSIN8l:gh/1IjT0U8CUVeDl
                                                                                                  MD5:03757900B07886BB09CD7774EC9C9039
                                                                                                  SHA1:C27F32575A53932AB257A2C409B4D08ACD0C4FB7
                                                                                                  SHA-256:B2B878C61BA4C2474BDD4AC15852B4852121472BD5B7C4DF23B8C2D23CDF1151
                                                                                                  SHA-512:48889DF79A205118583EB19791A65F44C6B5052FB24C92F0DD54E2A9A040996DC1032D4B0A676B21B75F461DBB1A3392D00C731F5C957DDA0C5EE88FB06BE9F4
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF24648D54C9A5BE6D.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF2C6998768CD931A6.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.08881027705318707
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:/nAXN8l5ipVvipVEGLaVgdGSLMCltMCleZkfU49+92+Rlpb:CN8l5S9SAqdGUDscUYzCp
                                                                                                  MD5:B5F43FAB87B613F2E0B0055A0C843D23
                                                                                                  SHA1:CDDC171BA9A19E8A87F3C02D377444208E3937F1
                                                                                                  SHA-256:E003567F6D278F86FDA5C2CB1128CE0B4DF69B6D51EF6A9A053FCEDF530F7AE2
                                                                                                  SHA-512:8E05A312DB01EFCA1701F665EB769C7E2DD9D04456547285DAD411DA09E375D3C7FF49ECC79DC2B862CFD7C77DD1D54A781581A3E55225279BAED9D0122FDC06
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF2C6998768CD931A6.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF2E148A7E0411782D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF2E61B9FBDD659093.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF3AAD9A74C126CA8A.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.5702996571617849
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:28PhFuRc06WXz+jT5XidYm811i0Sjnd/EqdGUDj0PbQ6Ssnd/E8J:JhF1jjT5en811i0I3DqNP
                                                                                                  MD5:15194D93808925302558E04039F0659C
                                                                                                  SHA1:9C5C6E0FAFE17A655CD25ABDCCAE4880FCFB8122
                                                                                                  SHA-256:F38D476ECB127B13572C9CBB464F954A819027EE7CF5671FB99AB176212587A4
                                                                                                  SHA-512:B104B821393B604C015456EE9DFEBE247366945BDB2716EC3A467A6117A4A68F4EEA15C4F1625F6B13954C29DE936A5AED998E290CB3DA63353CDA6A2AB30BAF
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF3AAD9A74C126CA8A.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF3BD61344BBED9A9C.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.07983391774199625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO4yEOjg7SVky6l/X:2F0i8n0itFzDHF2Vt/X
                                                                                                  MD5:8EFFECF0F29DB122BC857B544D850D65
                                                                                                  SHA1:DE6A8B49C932AA051169EE79D7070F520E4E70BE
                                                                                                  SHA-256:57A76199CC984828B15FFAE86BB219DF22ECB3087CAC3BC4ED5FD8F1FC7E81AA
                                                                                                  SHA-512:05C0A6D612BABE246412C4FD2A70CCFC9375AE11736461A693561E5E8436B11B13E5D7B20E41E1A8F0E1BAC7576C8A9B2CD925D46FF8672AFA6492ACF6C1C1CD
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF3FE76ADBE4DFA7C1.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF42F5E8848D1A354A.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF4436F7C81EF2F21F.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF4ED24C8238DCF176.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2551227873787485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:W69u5rh8FXzZT5nidYm811i0Sjnd/EqdGUDj0PbQ6Ssnd/E8J:l9LnTxen811i0I3DqNP
                                                                                                  MD5:44CAC83A006594A68C76B298C0696EF3
                                                                                                  SHA1:D125814D03521BA90A26E7A43F10F9DF3374AF0D
                                                                                                  SHA-256:C76C3CA4CAAEE06E506D47B0ED117A572EBCD0B7D41E13340C0C4C51029A5144
                                                                                                  SHA-512:9A719EFCC7AA3AB39CFF7BBAA0F2D1F716D8FDC0419F940CE9E865A9C54CDD434FE4DF61F45F50CE9EF48AD20F1848913E1F6BF10E397152064CE55A3977F59C
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4ED24C8238DCF176.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF4F843E2957CFCA9E.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.08894337454703272
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOheI9VRjwrdxoVky6lkt/:2F0i8n0itFzDHFhX9vwplk1
                                                                                                  MD5:FCFBB019A3D3DA9504CB2661CA4C2798
                                                                                                  SHA1:4C80EC2F338A67D9137DCE409F8EF08B42F02EA3
                                                                                                  SHA-256:FECA949F821C25F7805A66E6F8607212F13BFB1F1AC31C725787464A150F479B
                                                                                                  SHA-512:3E1C85524130669F5D4484367F4F0186EB0AABA6E62D215AC3E9F058F7F92B89E34C20220864ED02AF283E49F002B1E5535F465B8496B02F174DCF25B8276FE2
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF55D5C81752E491DB.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF56C5CB24C534DF14.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.06950320884269956
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOYoZP6vrb/mGyVky6l3X:2F0i8n0itFzDHFYoZcb/mE3X
                                                                                                  MD5:94C13FB9EF5EF951A85D1C32AFA6C9C2
                                                                                                  SHA1:CD5F13919BD986A2089DECDFF55BEEDCAE1EBB23
                                                                                                  SHA-256:45F535F618E75A2A66C7262330DA4BD5B73B232ED1891958487AAEC37F460708
                                                                                                  SHA-512:00E74FBE06DCAA5843E41B87577C7314C25188548001115CA939F7763CEDD523BAF7DA613C6A838E2F7744E689320B0E24942174C8F7EA2339CE81EBC98AAA77
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF5F8D2BCC61A473AD.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.13969035399560262
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:XeubmStedGPdGeqISoedGPdGfcrm+Hxb:HyLI0
                                                                                                  MD5:FEC98404DB9092414E1F5389219A39F9
                                                                                                  SHA1:E103B539992183A2482CB869A3DFFCEA8E090313
                                                                                                  SHA-256:13F842AB1A92DE7CF90EECD6ED00E8F9DDE63B5E9C63F7B5934C37B402C3672C
                                                                                                  SHA-512:FB80F7490C4D9D334428FE3BF54E28D0534B02D8DB06CE1D5064FB2019157E72A247E15D369BDAC8449E5B9C11041EAAE55415959CBB0CA20543CAD2289B107B
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5F8D2BCC61A473AD.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF655A74B9BA445056.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2551227873787485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:W69u5rh8FXzZT5nidYm811i0Sjnd/EqdGUDj0PbQ6Ssnd/E8J:l9LnTxen811i0I3DqNP
                                                                                                  MD5:44CAC83A006594A68C76B298C0696EF3
                                                                                                  SHA1:D125814D03521BA90A26E7A43F10F9DF3374AF0D
                                                                                                  SHA-256:C76C3CA4CAAEE06E506D47B0ED117A572EBCD0B7D41E13340C0C4C51029A5144
                                                                                                  SHA-512:9A719EFCC7AA3AB39CFF7BBAA0F2D1F716D8FDC0419F940CE9E865A9C54CDD434FE4DF61F45F50CE9EF48AD20F1848913E1F6BF10E397152064CE55A3977F59C
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF655A74B9BA445056.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF6B85D877951C251C.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF70777B487D973BA8.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.1526407262061997
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:lynu9GMLFXOhT5Ppa8CUVSAqdGUDsaSIN8l:snasTBU8CUVeDl
                                                                                                  MD5:59416A2512FA478CA68D8F21567B0593
                                                                                                  SHA1:A66F043CB44AA605FFBB3FA011674F16BAF62AD7
                                                                                                  SHA-256:3C5F6F044231AC030F0244F9235CB57E3CE85EB901BBE6EEB90371B5E8F95758
                                                                                                  SHA-512:D6E251BA791245A66C58591AB1A54A606AD13D1C5143120C22A3A5F57536FA63FAC68F07B14B611E36C7ED4E845466651251C493E3DC590FBD41F92B3CEBFDB3
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF70777B487D973BA8.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF757F12F3A142C008.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF769902E7494E7123.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.1526407262061997
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:lynu9GMLFXOhT5Ppa8CUVSAqdGUDsaSIN8l:snasTBU8CUVeDl
                                                                                                  MD5:59416A2512FA478CA68D8F21567B0593
                                                                                                  SHA1:A66F043CB44AA605FFBB3FA011674F16BAF62AD7
                                                                                                  SHA-256:3C5F6F044231AC030F0244F9235CB57E3CE85EB901BBE6EEB90371B5E8F95758
                                                                                                  SHA-512:D6E251BA791245A66C58591AB1A54A606AD13D1C5143120C22A3A5F57536FA63FAC68F07B14B611E36C7ED4E845466651251C493E3DC590FBD41F92B3CEBFDB3
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF769902E7494E7123.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF76EE9642C089D4F3.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF7884A5394D9052ED.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2294473570591442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:7VUuKJveFXJfT5qyCqISoedGPdGNoaStedGPdGk:BU4HTMy3Iax
                                                                                                  MD5:1B18258F77EA1A854E6757A3033D2A66
                                                                                                  SHA1:714CB94772385968B4C191874AF42A655F3525F5
                                                                                                  SHA-256:E8BFED0893117F98B1DB1D8EAA818A975B82A6B915111254F649A80176B215ED
                                                                                                  SHA-512:2B498886375EED7552EEE345FA16DDE58A5A574DCE27624091F2EBAFC6E03CBADAC30B96ABFB4AF607A05A6430DD0B87E35C84E1F892E1A74390D5AAC6CA76B7
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7884A5394D9052ED.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF7ABD191A9525A9AA.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.5554458369935937
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:lp8PhOuRc06WX4mjT5SHxbhJqISoedGPdGfcrTStedGPdGRubJ:uhO1WjTA0IJo
                                                                                                  MD5:794F25A18DFCBBF2E978881965B14FEB
                                                                                                  SHA1:C939D4FE3A331C87195B61D39C5937FADF1DA040
                                                                                                  SHA-256:0D725B9C0CAEA08AFE968130CF7A85AAFDBDE5A3BFFB20252308F9F55B9237B4
                                                                                                  SHA-512:C2FF382E96D789FA9D592AB9F524D956671B6D377EEED22888629353AB31366E64730529AA02340621D64615F48577F6897804426663C4B1F2218F553F783350
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7ABD191A9525A9AA.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF7ABD191A9525A9AA.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF7F1486E085492AB4.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF826AEE79DE8897CD.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF83E5E2CE686E4BF9.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF84BE7EE8B38FA38A.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2203371869631303
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:b8PhcuRc06WXJEjT52yCqISoedGPdGNoaStedGPdGk:Chc1HjTIy3Iax
                                                                                                  MD5:7DC5F971666D305EEC4B119B168F0497
                                                                                                  SHA1:D1CC426DA546DCBA9E48232BB2B4A1E3481DBF0A
                                                                                                  SHA-256:7984CA4CFF5AB36DC08A03708A242D9B2FA04AA69230645BF5D603791F598FFF
                                                                                                  SHA-512:5C2EE8D9B2D4D172D2D1FA7BD5E0EAE681BC533750E1683DB8B125DBBD376E5D8B77D0A76B812EBEC37FF973C18669316CB0E62649171C6B14F6CC5CDB577F81
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF84BE7EE8B38FA38A.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF868EC19AE7A8B005.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2203371869631303
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:b8PhcuRc06WXJEjT52yCqISoedGPdGNoaStedGPdGk:Chc1HjTIy3Iax
                                                                                                  MD5:7DC5F971666D305EEC4B119B168F0497
                                                                                                  SHA1:D1CC426DA546DCBA9E48232BB2B4A1E3481DBF0A
                                                                                                  SHA-256:7984CA4CFF5AB36DC08A03708A242D9B2FA04AA69230645BF5D603791F598FFF
                                                                                                  SHA-512:5C2EE8D9B2D4D172D2D1FA7BD5E0EAE681BC533750E1683DB8B125DBBD376E5D8B77D0A76B812EBEC37FF973C18669316CB0E62649171C6B14F6CC5CDB577F81
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF868EC19AE7A8B005.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF86E576608BAE36CB.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF8BA78800FF43A90B.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2565426135002733
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:66ZuHrh8FXzZT5HdYm81fgSjnd/EqdcrWbQaSsndVWeUJ/J:ZZRnTLn81oIZcCNueA
                                                                                                  MD5:5AE55D03EB703CB68F05FDBCA01DACCD
                                                                                                  SHA1:5D65B3BEB13999C67CAFAB7FD2D348AD8D08410C
                                                                                                  SHA-256:FC7F2AF54DDE40BC5CE084B6FAF746E3601D7A5FFCA54DBA5B11D1EAA519F281
                                                                                                  SHA-512:EEE85552328B3385AC8AB49A3E9ECFBDE000495B9E7DADADC1843AAC78C6EBDA2FC665FD7B3D777A808D725CF9F8CADDFFA0E5F93268433263F010D923A25CCF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF8C03868D234AE674.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.5719105721663353
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Z8PhhuRc06WXz+jT53dYm81fgSjnd/EqdcrWbQaSsndVWeUJ/J:Uhh1jjTTn81oIZcCNueA
                                                                                                  MD5:7980ADAF1DD3E73834B1A431AA17B09C
                                                                                                  SHA1:794757CB9A77542337E89B59AB26F87EF65A8C9B
                                                                                                  SHA-256:2418B3FC2C5406B78797DB11092B27AC6198BB31BC65D14103B15DD210CD0402
                                                                                                  SHA-512:8A22EA83BA9706AB52857CA47E12FB4BA867CC6D0EBEFDC13AAC1AB001BB4C43043569079D49F0FC538006893C7ACED79161325F18A99DAD00A811567DEF31B7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF8E1661A18884E74A.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF94748B777D03F7AE.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF955436548E4003F7.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF97EB4D6205F239D3.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.1542730664897843
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:9ubmStedvPdv+qISoedvPdvbXU6c9glsf:0ybIcEP7f
                                                                                                  MD5:E224ECC10F852D6F4AE43FDF38A2F124
                                                                                                  SHA1:7880209AD878A832D6E0468BC4E6E1AC6863B6AE
                                                                                                  SHA-256:E2FF63F0ACA81D8AE334F080A6FE3124BB83D508CC9AC0BA624D968294B8E63C
                                                                                                  SHA-512:F3C3992842828C002888BA38A1CF13AAE8B09C3D2001322EEC32C8012D0F9C3EE6001A4882D72441AE138DAACF1415A0AC28E88196E5A3DED8EA03C369F59218
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF97EB4D6205F239D3.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF97EB4D6205F239D3.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DF9A71F6C80486E46B.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFA168B4CCF1176679.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.1298447615045762
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:XeipVfedGSadGS7qIipVGedGSadGSwIKGMWTZkCm9+7+tgP:XeStedGPdGeqISoedGPdGNowE
                                                                                                  MD5:EAF7D27C6BE6C4D4DA0D729DF1F370D1
                                                                                                  SHA1:7DA7952A4AA87FC0BC85A4D9A1417E5DF39925B0
                                                                                                  SHA-256:D271E7C5BB7C27BC612CAABCD966C3B9D853591FD0564D790D7EE8B3AED4EEE7
                                                                                                  SHA-512:86C79DA353ACFEA5981D66E36E9A12D0FCB39EFCCA84988EAC06599D9AA663F7FFAD534EE0850D1751D190D49D92E528D23FD93021F3E1AF762C153C15169D4B
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA168B4CCF1176679.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFA5242E6744A4A813.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.15715565447494012
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:6qoWEuSsndddPSjndddwEqdGUDj0PbQPkdfqqg:6qoW9f3Dq2kfqqg
                                                                                                  MD5:472E3F4565D7B2711618431F9AA21D7A
                                                                                                  SHA1:C9CE571910EB8B0D798E06516BF92C61D0483507
                                                                                                  SHA-256:884B656624F4FD8CADD98EC75A4C89598DFCCBF332B76EA0AFD8CFB26AC84B46
                                                                                                  SHA-512:8BA63BD13CDA834C257F561D7C2A924689BF1FC75CECC8747C4D46474ED6169D4C1DD1DE51265087F7C231EE459F5A7536D85769987C3019FBE5276F968E6A97
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA5242E6744A4A813.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFA6D377B6A47B1752.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.14510618392116406
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:TURWeUJ4SsndYSjnd/EqdcrWbQnf+dYm8:Ace9WIZcCman8
                                                                                                  MD5:E6B03C5C2CEDE1D5727DD350440505B6
                                                                                                  SHA1:E07C34DA9718119FCB933BC4395710369D59FC1C
                                                                                                  SHA-256:9443D5E327ED6135BF2AEC4A7ADA82863085A3B349019E8581AC747EF6204476
                                                                                                  SHA-512:0F2EB95D9B861EF25DD1D3A268B62E3E30FC5CEA0EAEFAD76EC07D32D5506EFA400454E42A1F5D79C20DD08D7390C2FFAC59398A0763DDBCBD45E0737FFC11F3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFA786ED6563BB7942.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2462022368420547
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3zGuPI+xFX4BT5pHxbhJqISoedGPdGfcrTStedGPdGRubJ:DGGCTz0IJo
                                                                                                  MD5:23C2731D1A2078834C032875E4671FC5
                                                                                                  SHA1:53DA585FDC2F6A5047E7B4CBB7D38F150231A8D8
                                                                                                  SHA-256:1839A47D2ADA8F25B1B42688A30187D748D70C0268F60715AB261AB3D35928E8
                                                                                                  SHA-512:2AAB3FC1002326CD46449A1C35A8CA256C7180FC38587699B530FE17A7CFA69B8625CB01F6784BE65750578EBC575C79641B481DD9E189F530B897E4AA2C1FD6
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA786ED6563BB7942.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA786ED6563BB7942.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFAF2CCBFA9D5D1553.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2462022368420547
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3zGuPI+xFX4BT5pHxbhJqISoedGPdGfcrTStedGPdGRubJ:DGGCTz0IJo
                                                                                                  MD5:23C2731D1A2078834C032875E4671FC5
                                                                                                  SHA1:53DA585FDC2F6A5047E7B4CBB7D38F150231A8D8
                                                                                                  SHA-256:1839A47D2ADA8F25B1B42688A30187D748D70C0268F60715AB261AB3D35928E8
                                                                                                  SHA-512:2AAB3FC1002326CD46449A1C35A8CA256C7180FC38587699B530FE17A7CFA69B8625CB01F6784BE65750578EBC575C79641B481DD9E189F530B897E4AA2C1FD6
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAF2CCBFA9D5D1553.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFAFEA10D23247A300.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):0.996518462718314
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:1uZup/BJveFXJfT5hxyVqISoedvPdvbXU6c9glnStedvPdv50ub:gZY2HTPxyoIcEPuD
                                                                                                  MD5:D01A321EA47A2385DCAE07F8C675D545
                                                                                                  SHA1:F53070ABF6C5DDB07893AD425FA1CBD322D4DD1A
                                                                                                  SHA-256:41AA457DF7D08C65F1CE4C5A49F46C13F74AA9931DDFD79FA7F575C63B6E8CDA
                                                                                                  SHA-512:5A410B6B08DFEF15480F17142D404AC7192DD2FBBD90C4C2D2259ECEB62CCA92A7D24D3700D44569C3C3902AED8AF6CC84232EF87D13B7EFE6207A91E9CD3761
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAFEA10D23247A300.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAFEA10D23247A300.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFAFEA10D23247A300.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB114EFF60688BE25.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):147456
                                                                                                  Entropy (8bit):3.0953697801729434
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FpZz6zFooEd6QFo7KjJUFJ9yQscVU0r/l0az6zFooEd6QFo7KjJUFJ9yQscVU0r/:bZ2zOhUm44QdxOa2zOhUm44Qdx
                                                                                                  MD5:3D0247F81ED73ACE95F4DE15DF28216C
                                                                                                  SHA1:84CB859F84E3ED06554D9FE7A8DFD18DE8BCD5AC
                                                                                                  SHA-256:67B3B05702FBBB540D2F0E0822AEFA2C1374765183FA41C97EF7A4144A470C5F
                                                                                                  SHA-512:2E67363BC5FAC0E686387892CE5BBF9126905B66ADFD238447BF54A72E438420FC6BE5E575C37A386EAD5C73CE8D23DD907917949AD159A3B195016A76AE6863
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB179B7CBB51DF02E.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2294473570591442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:7VUuKJveFXJfT5qyCqISoedGPdGNoaStedGPdGk:BU4HTMy3Iax
                                                                                                  MD5:1B18258F77EA1A854E6757A3033D2A66
                                                                                                  SHA1:714CB94772385968B4C191874AF42A655F3525F5
                                                                                                  SHA-256:E8BFED0893117F98B1DB1D8EAA818A975B82A6B915111254F649A80176B215ED
                                                                                                  SHA-512:2B498886375EED7552EEE345FA16DDE58A5A574DCE27624091F2EBAFC6E03CBADAC30B96ABFB4AF607A05A6430DD0B87E35C84E1F892E1A74390D5AAC6CA76B7
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB179B7CBB51DF02E.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB179B7CBB51DF02E.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB20E280C6714B264.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB32B39B2AAA6C1DA.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2462022368420547
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:3zGuPI+xFX4BT5pHxbhJqISoedGPdGfcrTStedGPdGRubJ:DGGCTz0IJo
                                                                                                  MD5:23C2731D1A2078834C032875E4671FC5
                                                                                                  SHA1:53DA585FDC2F6A5047E7B4CBB7D38F150231A8D8
                                                                                                  SHA-256:1839A47D2ADA8F25B1B42688A30187D748D70C0268F60715AB261AB3D35928E8
                                                                                                  SHA-512:2AAB3FC1002326CD46449A1C35A8CA256C7180FC38587699B530FE17A7CFA69B8625CB01F6784BE65750578EBC575C79641B481DD9E189F530B897E4AA2C1FD6
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB32B39B2AAA6C1DA.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB35E1D2CB7B8B02E.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):0.996518462718314
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:1uZup/BJveFXJfT5hxyVqISoedvPdvbXU6c9glnStedvPdv50ub:gZY2HTPxyoIcEPuD
                                                                                                  MD5:D01A321EA47A2385DCAE07F8C675D545
                                                                                                  SHA1:F53070ABF6C5DDB07893AD425FA1CBD322D4DD1A
                                                                                                  SHA-256:41AA457DF7D08C65F1CE4C5A49F46C13F74AA9931DDFD79FA7F575C63B6E8CDA
                                                                                                  SHA-512:5A410B6B08DFEF15480F17142D404AC7192DD2FBBD90C4C2D2259ECEB62CCA92A7D24D3700D44569C3C3902AED8AF6CC84232EF87D13B7EFE6207A91E9CD3761
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFB35E1D2CB7B8B02E.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB60851E902192027.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB7E7D5EE2D5DA660.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.07896689188905408
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOAYJFROO+G9IbSVky6l/X:2F0i8n0itFzDHF7DRONN/X
                                                                                                  MD5:FC085151AC0BD68B194323C7908CA49A
                                                                                                  SHA1:4A5C9448EFDD9AD87B9C7843D2C6519C24714B08
                                                                                                  SHA-256:05E716D0BC6AE5C79D82BB4532AB460E0C341F227B47F84FEEF5B3831C145CD6
                                                                                                  SHA-512:6044C1DF5E4161E65DB91D072B7CFA8CED9556741BBF6322CBB2DF4498CBD1B6E23CA49DD438AC7BCFF5B9C6347D664F2329E98F0BD684D303C9806BB184B38D
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFB97FFDF41FA3DB83.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):147456
                                                                                                  Entropy (8bit):3.0953697801729434
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FpZz6zFooEd6QFo7KjJUFJ9yQscVU0r/l0az6zFooEd6QFo7KjJUFJ9yQscVU0r/:bZ2zOhUm44QdxOa2zOhUm44Qdx
                                                                                                  MD5:3D0247F81ED73ACE95F4DE15DF28216C
                                                                                                  SHA1:84CB859F84E3ED06554D9FE7A8DFD18DE8BCD5AC
                                                                                                  SHA-256:67B3B05702FBBB540D2F0E0822AEFA2C1374765183FA41C97EF7A4144A470C5F
                                                                                                  SHA-512:2E67363BC5FAC0E686387892CE5BBF9126905B66ADFD238447BF54A72E438420FC6BE5E575C37A386EAD5C73CE8D23DD907917949AD159A3B195016A76AE6863
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFBCADEF77F70AC7B6.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFC3161F056BF1486D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFC841E8278A97E126.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.07793163127720673
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOKjwo0uDQAfiVky6l51:2F0i8n0itFzDHFKjSy75r
                                                                                                  MD5:04F1BCC16105C27F81AD4CC3C2BFB6E2
                                                                                                  SHA1:B81000D3D072384E8860BFF75236C3436AFFE062
                                                                                                  SHA-256:ECB9DBC91D718B517DC7A80B783C0E50C2C43CEED7C5F7BE70EB8C96C228AE6B
                                                                                                  SHA-512:761320402873E71990030818C98F8667203343F4AF8F7BEE23874E28ABEE1C41B6297020C8AD325E8CDD6117B663AC961E21990014456D873B5F104C2850F7CA
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFCB9A8020C2FD114B.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2565426135002733
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:66ZuHrh8FXzZT5HdYm81fgSjnd/EqdcrWbQaSsndVWeUJ/J:ZZRnTLn81oIZcCNueA
                                                                                                  MD5:5AE55D03EB703CB68F05FDBCA01DACCD
                                                                                                  SHA1:5D65B3BEB13999C67CAFAB7FD2D348AD8D08410C
                                                                                                  SHA-256:FC7F2AF54DDE40BC5CE084B6FAF746E3601D7A5FFCA54DBA5B11D1EAA519F281
                                                                                                  SHA-512:EEE85552328B3385AC8AB49A3E9ECFBDE000495B9E7DADADC1843AAC78C6EBDA2FC665FD7B3D777A808D725CF9F8CADDFFA0E5F93268433263F010D923A25CCF
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFCE69C277706D21E4.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFCF5527663F6EA695.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):180224
                                                                                                  Entropy (8bit):2.3715956650941714
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:haz6zFooEd6QFo7KjJUFJ9yQscVU0r/Vz6zFooEd6QFo7KjJUFJ9yQscVU0r/l:ha2zOhUm44Qdx92zOhUm44Qdx
                                                                                                  MD5:8274411CA28619D5C706A40E3BFFEC5C
                                                                                                  SHA1:94E2C1144FF32CC94A4E423773280556D5443E6A
                                                                                                  SHA-256:D1715CC6B297A41DF90ABDDABA97AE6F9F0E735B564E2420CC1063F202E39C89
                                                                                                  SHA-512:670C923C90754A7CB5B1B927E8D131DF4F4B2E59052EA00D270A4C88693F6988BE7DC4B34B985F2F3F40F56932D0C6223AAC77E589093FBC1825E685416CFFD3
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFCFD2CAF74D7BDCB3.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFD312689799DC7A0C.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2294473570591442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:7VUuKJveFXJfT5qyCqISoedGPdGNoaStedGPdGk:BU4HTMy3Iax
                                                                                                  MD5:1B18258F77EA1A854E6757A3033D2A66
                                                                                                  SHA1:714CB94772385968B4C191874AF42A655F3525F5
                                                                                                  SHA-256:E8BFED0893117F98B1DB1D8EAA818A975B82A6B915111254F649A80176B215ED
                                                                                                  SHA-512:2B498886375EED7552EEE345FA16DDE58A5A574DCE27624091F2EBAFC6E03CBADAC30B96ABFB4AF607A05A6430DD0B87E35C84E1F892E1A74390D5AAC6CA76B7
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD312689799DC7A0C.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFD3B8D326BBEE075A.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.5554458369935937
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:lp8PhOuRc06WX4mjT5SHxbhJqISoedGPdGfcrTStedGPdGRubJ:uhO1WjTA0IJo
                                                                                                  MD5:794F25A18DFCBBF2E978881965B14FEB
                                                                                                  SHA1:C939D4FE3A331C87195B61D39C5937FADF1DA040
                                                                                                  SHA-256:0D725B9C0CAEA08AFE968130CF7A85AAFDBDE5A3BFFB20252308F9F55B9237B4
                                                                                                  SHA-512:C2FF382E96D789FA9D592AB9F524D956671B6D377EEED22888629353AB31366E64730529AA02340621D64615F48577F6897804426663C4B1F2218F553F783350
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD3B8D326BBEE075A.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFD3F1F486E5A9F00D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):49152
                                                                                                  Entropy (8bit):0.996518462718314
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:1uZup/BJveFXJfT5hxyVqISoedvPdvbXU6c9glnStedvPdv50ub:gZY2HTPxyoIcEPuD
                                                                                                  MD5:D01A321EA47A2385DCAE07F8C675D545
                                                                                                  SHA1:F53070ABF6C5DDB07893AD425FA1CBD322D4DD1A
                                                                                                  SHA-256:41AA457DF7D08C65F1CE4C5A49F46C13F74AA9931DDFD79FA7F575C63B6E8CDA
                                                                                                  SHA-512:5A410B6B08DFEF15480F17142D404AC7192DD2FBBD90C4C2D2259ECEB62CCA92A7D24D3700D44569C3C3902AED8AF6CC84232EF87D13B7EFE6207A91E9CD3761
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD3F1F486E5A9F00D.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFDBE0BA6093BFD3E7.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFDD0A695386F05727.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.1526407262061997
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:lynu9GMLFXOhT5Ppa8CUVSAqdGUDsaSIN8l:snasTBU8CUVeDl
                                                                                                  MD5:59416A2512FA478CA68D8F21567B0593
                                                                                                  SHA1:A66F043CB44AA605FFBB3FA011674F16BAF62AD7
                                                                                                  SHA-256:3C5F6F044231AC030F0244F9235CB57E3CE85EB901BBE6EEB90371B5E8F95758
                                                                                                  SHA-512:D6E251BA791245A66C58591AB1A54A606AD13D1C5143120C22A3A5F57536FA63FAC68F07B14B611E36C7ED4E845466651251C493E3DC590FBD41F92B3CEBFDB3
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDD0A695386F05727.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFDEE8C20B33D20C5D.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):69632
                                                                                                  Entropy (8bit):0.1449141791186652
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:TUSEuSsndYSjnd/EqdGUDj0PbQGT1CdYm8p:AiWI3Dq/T1+n8p
                                                                                                  MD5:38D45E087303D2433096B391D543CDB1
                                                                                                  SHA1:753CBEC30BA1CA6375D2124EBD0F91D05301DBA1
                                                                                                  SHA-256:4EF3673A31A16AD4CECA871BE3FBC80EC2227C3B4CB135821CD96098EB0CA4A3
                                                                                                  SHA-512:8AF7DD07AB1D282233371D55FBB519210DD8222C264E12361DC4045581805048215374F440C5A52D613CDEA40646A40ED6B18D9D93D584418BFC2F5D7E683E62
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDEE8C20B33D20C5D.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFE4AEDF4B05527C68.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFE688E834D8384298.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFEC7BFDF0396EF13B.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2551227873787485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:W69u5rh8FXzZT5nidYm811i0Sjnd/EqdGUDj0PbQ6Ssnd/E8J:l9LnTxen811i0I3DqNP
                                                                                                  MD5:44CAC83A006594A68C76B298C0696EF3
                                                                                                  SHA1:D125814D03521BA90A26E7A43F10F9DF3374AF0D
                                                                                                  SHA-256:C76C3CA4CAAEE06E506D47B0ED117A572EBCD0B7D41E13340C0C4C51029A5144
                                                                                                  SHA-512:9A719EFCC7AA3AB39CFF7BBAA0F2D1F716D8FDC0419F940CE9E865A9C54CDD434FE4DF61F45F50CE9EF48AD20F1848913E1F6BF10E397152064CE55A3977F59C
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFEC7BFDF0396EF13B.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFEF35E6A24E4A9469.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFEF91747A184AAA78.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.5719105721663353
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Z8PhhuRc06WXz+jT53dYm81fgSjnd/EqdcrWbQaSsndVWeUJ/J:Uhh1jjTTn81oIZcCNueA
                                                                                                  MD5:7980ADAF1DD3E73834B1A431AA17B09C
                                                                                                  SHA1:794757CB9A77542337E89B59AB26F87EF65A8C9B
                                                                                                  SHA-256:2418B3FC2C5406B78797DB11092B27AC6198BB31BC65D14103B15DD210CD0402
                                                                                                  SHA-512:8A22EA83BA9706AB52857CA47E12FB4BA867CC6D0EBEFDC13AAC1AB001BB4C43043569079D49F0FC538006893C7ACED79161325F18A99DAD00A811567DEF31B7
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFF0B3E249677FDEBA.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.07195489426932822
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKODJJRTZEXhGkPhgVky6lit/:2F0i8n0itFzDHFlGkkPdit/
                                                                                                  MD5:ED874D0CBD14423301E3D6B56FE80CD7
                                                                                                  SHA1:B916AC27C355686F5A09242F21AC32FA399CFC98
                                                                                                  SHA-256:5A0FCC3BFB9D6C81BE74B41195E578448944211511D125B08FE7D63D9B960874
                                                                                                  SHA-512:6219276661D645C103843D0D62788DB4AC08BBEC6A048679AF41FE21EA62B1C5FC7A2D9D3116905035EE95EAB6EDEB3788D4B2352F04341D3C2C1CDEFF5209A9
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFF573D81CD81747E6.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.6125110119564097
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:Z8PhhuRc06WXJEjT5myVqISoedvPdvbXU6c9glnStedvPdv50ub:Uhh1HjT4yoIcEPuD
                                                                                                  MD5:33717E3E46D58B3E19E3A2A1C646B050
                                                                                                  SHA1:4175E4F920FEC6965868D46BFA79773E6F9687EA
                                                                                                  SHA-256:55F51C24C147E27042CC1761B02E02E92AA5E56D340217EFE00700C5F2513217
                                                                                                  SHA-512:3589A1C42EA3A6ACC5C6243382DAD5953B23D056C335EA92AA806CCFF56AD9F3B49B727273E34F02C8BF2FEE400D22ABD6ED990DD49B3609173F42265D1DA8CF
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF573D81CD81747E6.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFFBC50EC9FCD8D654.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2775982467018006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:2OLuXrh8FXzZT5b50dfqqmuSjndddwEqdGUDj0PbQiSsndddSE8Qq:RLlnTV50fqqmuf3DqNaQq
                                                                                                  MD5:4F0F5FC612368AA2881E3F468723891C
                                                                                                  SHA1:E43BF353574EC16D2B9D24D16EEA3AF61F2990A8
                                                                                                  SHA-256:A6CE4FEA8DA69112E750D80CF5FF8B9F794BB8E4D31F724BC738BF38D02BDBAF
                                                                                                  SHA-512:A12A8041CF7399FA45565663A591C875AA8DAD3DB33DF1FDBF639A8EB3D890362ADA341105105CF799C962FF2310354A73A4A7A833E3E25029D2734D7B2EF20C
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFBC50EC9FCD8D654.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFFC36A7348E90ED6B.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):1.2775982467018006
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:2OLuXrh8FXzZT5b50dfqqmuSjndddwEqdGUDj0PbQiSsndddSE8Qq:RLlnTV50fqqmuf3DqNaQq
                                                                                                  MD5:4F0F5FC612368AA2881E3F468723891C
                                                                                                  SHA1:E43BF353574EC16D2B9D24D16EEA3AF61F2990A8
                                                                                                  SHA-256:A6CE4FEA8DA69112E750D80CF5FF8B9F794BB8E4D31F724BC738BF38D02BDBAF
                                                                                                  SHA-512:A12A8041CF7399FA45565663A591C875AA8DAD3DB33DF1FDBF639A8EB3D890362ADA341105105CF799C962FF2310354A73A4A7A833E3E25029D2734D7B2EF20C
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFC36A7348E90ED6B.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFFF04148885CF3CCF.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFFF278558ADD9E957.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):1.6004320040345241
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:88PhTuRc06WXz+jT530dfqqmuSjndddwEqdGUDj0PbQiSsndddSE8Qq:ThT1jjTJ0fqqmuf3DqNaQq
                                                                                                  MD5:95A6D51978C6AB5D65C4B4990FE63406
                                                                                                  SHA1:DDFBC7A3D33EAC3C707A1EE2A9B85C5260DF9891
                                                                                                  SHA-256:C1D492C17E0FEBB4E9D6DEE52AEBF54152F5C903BC57FF0E77F0D1C2F96877DF
                                                                                                  SHA-512:A18D50B089DF03975272299067466539BD8F9D1E4B0B75FB64B2003A4D03D065533B89FF01C973914E56B3702A3E6B6B60E23E284DCAC28600A77292871844AA
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFF278558ADD9E957.TMP, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFF278558ADD9E957.TMP, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Windows\Temp\~DFFF3092ACA422E16E.TMP

                                                                                                  Download File
                                                                                                  Process:C:\Windows\System32\msiexec.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:unknown
                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  \Device\ConDrv

                                                                                                  Download File
                                                                                                  Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):456
                                                                                                  Entropy (8bit):5.147849989211096
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:y0Qiem71jCuwE3c5yjCuwE3c0dAyzla7f+xoFEWO8NHGjlWO8NZrr5n:y0QiVpCuwEY4CuwEZxla7fTEWOqAWOqT
                                                                                                  MD5:47C6824B74AAB29B4B6F38BB3DC40537
                                                                                                  SHA1:6938E727DCB318D679159467901116BFB815B27B
                                                                                                  SHA-256:16627A0127DCC45E942C00B5413E838BBFC34A63E5206D45A78F5EFB8B4EBE6F
                                                                                                  SHA-512:2A99EF121DC4C8D7CA3A57C0B245F63FAE897464B22E774601B33B1FFD47DA8922C2C186B8EE71B9A5D0D966E9BC7311905EE192F56CD22C17C717DB8A03F962
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: \Device\ConDrv, Author: Joe Security
                                                                                                  Reputation:unknown
                                                                                                  Preview:You must install .NET to run this application.....App: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe..Architecture: x64..App host version: 6.0.27...NET location: Not found....Learn about runtime installation:..https://aka.ms/dotnet/app-launch-failed....Download the .NET runtime:..https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.27..

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {352F53AF-93CF-49B0-A97C-42FE183A477F}, Create Time/Date: Mon Mar 16 10:59:40 2020, Last Saved Time/Date: Mon Mar 16 10:59:40 2020, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                  Entropy (8bit):7.58991808861058
                                                                                                  TrID:
                                                                                                  • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                  • ClickyMouse macro set (36024/1) 34.46%
                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                  File name:SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi
                                                                                                  File size:634'880 bytes
                                                                                                  MD5:3f3cd65706b50287fd2ba986dacd6cb0
                                                                                                  SHA1:856d68eaa9ec542c2d9a5229bfeb97f16470cca9
                                                                                                  SHA256:5ddc52155a66f0d761d56269200a4d0de19a4c4c1ffb20aad9757f0f3ce5c049
                                                                                                  SHA512:e2f75bf6b44f2fe9b3f6cd8bd9308a707186599ae76fe1370545853accd67eb68c51c2cd71653b86b447822514c06d3158fc30076bf859cf540ea4ecc36138f3
                                                                                                  SSDEEP:12288:Iwdvg7+Cq7zs913vtwSI1hFO0pSuw5+8jOZy2KsGU6a4Ksw:Iwvs913vtzOhwVuahOE2Z34KV
                                                                                                  TLSH:F3D4F1216084443ED7FA0A36887FD272AE7DFD681720C56E8384791E1D748D06BB7B67
                                                                                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                  File Icon

                                                                                                  Icon Hash:2d2e3797b32b2b99

                                                                                                  Network Behavior

                                                                                                  Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:08:39:40
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                  Imagebase:0x7ff7df220000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:false
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:08:39:42
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.22990.5900.msi"
                                                                                                  Imagebase:0x7ff74f210000
                                                                                                  File size:69'632 bytes
                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:08:39:43
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                  Imagebase:0x7ff74f210000
                                                                                                  File size:69'632 bytes
                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:08:39:43
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\Sgrmuserer.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\Sgrmuserer.exe
                                                                                                  Imagebase:0x7ff7d9e70000
                                                                                                  File size:329'504 bytes
                                                                                                  MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:08:39:44
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                  Imagebase:0x7ff7df220000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:08:39:44
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 88B9AFD431CCCBC2C183FA86EEAF26D8
                                                                                                  Imagebase:0x5b0000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:08:39:44
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
                                                                                                  Imagebase:0x7ff7df220000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:08:39:44
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                  Imagebase:0x7ff7df220000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:08:39:45
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="gearoid@pcsales.ie" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI=""
                                                                                                  Imagebase:0x1f267be0000
                                                                                                  File size:107'520 bytes
                                                                                                  MD5 hash:28D920237F64F246331725C1B2A29D1B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1327425121.00007FF7C0BCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326829533.000001F267E51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326829533.000001F267E53000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326388482.000001F20012F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326388482.000001F200001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326829533.000001F267E7D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326388482.000001F20007C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326388482.000001F200134000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1327216526.000001F26A083000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326737224.000001F267D90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326388482.000001F200131000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326829533.000001F267E16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326388482.000001F2000B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326829533.000001F267E10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000002.1326388482.000001F2000C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000009.00000000.1308365620.000001F267BE2000.00000002.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 5%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:08:39:46
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                  Imagebase:0x2402d3a0000
                                                                                                  File size:107'520 bytes
                                                                                                  MD5 hash:28D920237F64F246331725C1B2A29D1B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1741361683.000002402D60C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1741226258.000002402D5C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1831401511.000002404689D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E42E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E196000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402DDC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E168000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402DED5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E0FE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1831401511.00000240468C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E066000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1741361683.000002402D639000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402DE6C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E199000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E27F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1831401511.0000024046855000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1741361683.000002402D5D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1831401511.0000024046885000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1831401511.00000240468F9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1739888226.0000009BBB9E4000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1741361683.000002402D673000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E537000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E372000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1744392039.000002402E418000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1741361683.000002402D5F5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1811264088.00000240464CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1741048617.000002402D440000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000002.1741361683.000002402D5D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:08:39:47
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                  Imagebase:0x7ff653d60000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:08:39:47
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:13
                                                                                                  Start time:08:39:54
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "7f4bc6c6-59a6-4bc9-8598-c31d718ec694" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
                                                                                                  Imagebase:0x1b6aee90000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421801348.000001B6AF340000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421246310.000001B6AF137000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421661955.000001B6AF302000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421246310.000001B6AF19F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421997857.000001B6AF851000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421246310.000001B6AF130000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421201415.000001B6AF11C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421201415.000001B6AF110000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421997857.000001B6AF8D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000000.1402430407.000001B6AEE92000.00000002.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.1421246310.000001B6AF153000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:14
                                                                                                  Start time:08:39:54
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:15
                                                                                                  Start time:08:39:57
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "4d4475cf-de40-427c-84dc-885cd4d49f26" agent-api.atera.com/Production 443 or8ixLi90Mf "identified"
                                                                                                  Imagebase:0x28e1cc90000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.1458916018.0000028E1CEE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.1459662383.0000028E1D160000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.1458916018.0000028E1CEE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.1458916018.0000028E1CF68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.1458916018.0000028E1CF1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.1459760921.0000028E1D6D3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000F.00000002.1459760921.0000028E1D651000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:08:39:57
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:08:39:57
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                  Imagebase:0x2a06bbe0000
                                                                                                  File size:107'520 bytes
                                                                                                  MD5 hash:28D920237F64F246331725C1B2A29D1B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2083569595.000002A06BCE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2107624213.000002A06D060000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2100308784.000002A06CC68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2100308784.000002A06CD0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2093412656.000002A06BFB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000AE5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2100308784.000002A06CC40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2107624213.000002A06D103000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2100308784.000002A06CD38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2107624213.000002A06D0B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2083569595.000002A06BD52000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000010000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2100308784.000002A06CCE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000507000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2107624213.000002A06D0DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2083569595.000002A06BD22000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000C08000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2107624213.000002A06D0B1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000F86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2083569595.000002A06BD1F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A00108C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2107624213.000002A06D08B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000116000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A00028B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1920228519.000000EBA39E4000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A001008000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2100308784.000002A06CCCB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A0002D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2107624213.000002A06D0C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000E70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.2078566612.000002A06BC80000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000012.00000002.1930726295.000002A000B64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:19
                                                                                                  Start time:08:39:57
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\sc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                  Imagebase:0x7ff653d60000
                                                                                                  File size:72'192 bytes
                                                                                                  MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:20
                                                                                                  Start time:08:39:57
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:21
                                                                                                  Start time:08:39:58
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "286bd9d8-353a-4b8d-9785-82c1528904e7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"
                                                                                                  Imagebase:0x1b720dc0000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1630021987.000001B720F0B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B7218AE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1640288592.000001B739E7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B721974000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B721D02000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B7219C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1632466581.000001B721270000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B721977000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1630021987.000001B720FD7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1630021987.000001B720F78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1640030677.000001B739E52000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1644522191.000001B73A2FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1630021987.000001B720F31000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1630021987.000001B720EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B721905000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B72190D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B7217E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1630021987.000001B720F2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B721945000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.1633030598.000001B721751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:22
                                                                                                  Start time:08:39:58
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:23
                                                                                                  Start time:08:40:00
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                  Imagebase:0x7ff632a50000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.1556299859.000001FFDC82B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.1556299859.000001FFDC820000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.1556299859.000001FFDC843000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000003.1461221162.000001FFDC960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.1556449027.000001FFDC940000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:24
                                                                                                  Start time:08:40:00
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:25
                                                                                                  Start time:08:40:00
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\cscript.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                  Imagebase:0x7ff75d280000
                                                                                                  File size:161'280 bytes
                                                                                                  MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1554504889.0000021637B80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:28
                                                                                                  Start time:08:40:01
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1770ba0d-887c-48bc-9dfe-81a93d31467b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjozLCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9wYWNrYWdlc3N0b3JlLmJsb2IuY29yZS53aW5kb3dzLm5ldC9pbnN0YWxsZXJzL0FueURlc2svQWdlbnRfQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSJ9"
                                                                                                  Imagebase:0x1ba14190000
                                                                                                  File size:52'272 bytes
                                                                                                  MD5 hash:3180C705182447F4BCC7CE8E2820B25D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1640544426.000001BA145D2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1638646479.000001BA1438C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1641133212.000001BA14B71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1638646479.000001BA143C3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1640878216.000001BA14620000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1638646479.000001BA143AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1641133212.000001BA14CBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1641133212.000001BA14D36000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1641133212.000001BA14BF3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000000.1471696821.000001BA14192000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1651206396.000001BA2D230000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1651206396.000001BA2D2ED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1641133212.000001BA15006000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1641133212.000001BA14F82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1638646479.000001BA1440F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1651206396.000001BA2D2B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.1638646479.000001BA14380000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:29
                                                                                                  Start time:08:40:01
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:30
                                                                                                  Start time:08:40:02
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\sppsvc.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                  Imagebase:0x7ff6e2ed0000
                                                                                                  File size:4'630'384 bytes
                                                                                                  MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:31
                                                                                                  Start time:08:40:03
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 328987ae-dff2-409c-a138-b16d9739728b "8f1aa051-8e50-4815-abc3-1c6545289f2a" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"
                                                                                                  Imagebase:0x1cdf1200000
                                                                                                  File size:396'336 bytes
                                                                                                  MD5 hash:B50005A1A62AFA85240D1F65165856EB
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1548276807.000001CDF33B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1559754160.00007FF817C29000.00000004.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1542013724.000001CDF12F0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000000.1494236148.000001CDF1202000.00000002.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1542157242.000001CDF1430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1548174753.000001CDF33A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1542066814.000001CDF13F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1542157242.000001CDF14BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1545077246.000001CDF23B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1542157242.000001CDF1472000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1538211245.000001CD80001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1544311162.000001CDF1B72000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1548150822.000001CDF31A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1542157242.000001CDF147C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1542157242.000001CDF143C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1542157242.000001CDF151A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1548352968.000001CDF34D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1538211245.000001CD805A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.1538211245.000001CD800ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:32
                                                                                                  Start time:08:40:03
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:33
                                                                                                  Start time:08:40:10
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                  Imagebase:0x7ff7df220000
                                                                                                  File size:55'320 bytes
                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:false
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:34
                                                                                                  Start time:08:40:11
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\msiexec.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"msiexec.exe" /i "C:\Windows\TEMP\AnyDesk-CM.msi" /qn
                                                                                                  Imagebase:0x7ff74f210000
                                                                                                  File size:69'632 bytes
                                                                                                  MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000003.1621455728.000002A2A912D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.1622807856.000002A2A9137000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.1622327025.000002A2A9100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000003.1621515538.000002A2A9141000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000003.1621569040.000002A2A9136000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.1622327025.000002A2A910B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000022.00000002.1622891925.000002A2A9142000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:35
                                                                                                  Start time:08:40:12
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding B00A7C36C28E7241176BB9CC8D98E5DB E Global\MSI0000
                                                                                                  Imagebase:0x5b0000
                                                                                                  File size:59'904 bytes
                                                                                                  MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:36
                                                                                                  Start time:08:40:13
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe" --service
                                                                                                  Imagebase:0x200000
                                                                                                  File size:3'910'992 bytes
                                                                                                  MD5 hash:93B4FC0135DEBA59A7D1A59468FE2794
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:37
                                                                                                  Start time:08:40:16
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Program Files (x86)\AnyDesk-f45e5af2_msi\AnyDesk-f45e5af2_msi.exe" --control
                                                                                                  Imagebase:0x200000
                                                                                                  File size:3'910'992 bytes
                                                                                                  MD5 hash:93B4FC0135DEBA59A7D1A59468FE2794
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:39
                                                                                                  Start time:08:40:29
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1d3f044-b3ad-4477-a71b-e7adea6af624" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
                                                                                                  Imagebase:0x201f5290000
                                                                                                  File size:176'176 bytes
                                                                                                  MD5 hash:ACCE8B17DE63299AA4D5CB7D709BEEDC
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2066046594.00000201F5460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2097698634.00000201F6511000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2086290764.00000201F646D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2066046594.00000201F549A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2085256356.00000201F6440000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2066046594.00000201F547B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2113897333.00000201F66CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2013736771.0000020180047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2013736771.0000020180083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2013736771.00000201801D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2066046594.00000201F54E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2089050866.00000201F6479000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2013736771.0000020180001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2078485727.00000201F5600000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:40
                                                                                                  Start time:08:40:29
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:41
                                                                                                  Start time:08:40:30
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\cmd.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                  Imagebase:0x7ff632a50000
                                                                                                  File size:289'792 bytes
                                                                                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.1986641763.0000025F9E21B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000003.1766662600.0000025F9E400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.1988799254.0000025F9E3E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.1986641763.0000025F9E234000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.1986641763.0000025F9E210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:42
                                                                                                  Start time:08:40:30
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "56e78124-ff9e-4e29-ad5e-0209b83f61c7" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
                                                                                                  Imagebase:0x2bfb0dc0000
                                                                                                  File size:73'264 bytes
                                                                                                  MD5 hash:00A4D22D776D110ADCC63F0C567131C6
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2546404498.000002BFB0E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2546404498.000002BFB0E7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2619058939.000002BFC9FD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2560503274.000002BFB1808000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2560503274.000002BFB19D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2559452797.000002BFB1120000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2546404498.000002BFB0EB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2619058939.000002BFCA03F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2560503274.000002BFB18C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2546404498.000002BFB0EB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2541868230.000000FD30CF1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2546404498.000002BFB0F67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2560503274.000002BFB1791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000000.1766391573.000002BFB0DC2000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2546404498.000002BFB0EFB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:43
                                                                                                  Start time:08:40:30
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:44
                                                                                                  Start time:08:40:31
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:45
                                                                                                  Start time:08:40:31
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\cscript.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                  Imagebase:0x7ff75d280000
                                                                                                  File size:161'280 bytes
                                                                                                  MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002D.00000002.1981618842.00000203A08B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:46
                                                                                                  Start time:08:40:31
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 328987ae-dff2-409c-a138-b16d9739728b "7cc0114f-d163-4617-a905-9a329cdf5945" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
                                                                                                  Imagebase:0x1f368620000
                                                                                                  File size:52'272 bytes
                                                                                                  MD5 hash:6095B43FA565DA44E7A818CFB4BACBA2
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2071700756.000001F3687A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2086765903.000001F368C95000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2071700756.000001F368791000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2029187628.000001F300276000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2071700756.000001F3687DD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2071700756.000001F36875C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2029187628.000001F300285000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000000.1769476624.000001F368622000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2029187628.000001F300180000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2029187628.000001F30010F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2092194234.000001F3698A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2092194234.000001F369810000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2085850803.000001F368AA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2029187628.000001F300001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2071700756.000001F368750000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2029187628.000001F300126000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:47
                                                                                                  Start time:08:40:31
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:48
                                                                                                  Start time:08:40:31
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 328987ae-dff2-409c-a138-b16d9739728b "197104ea-9832-45bd-9a2f-8c3a39747567" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
                                                                                                  Imagebase:0x25910200000
                                                                                                  File size:219'696 bytes
                                                                                                  MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1886184112.0000025910D4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1915380437.0000025929530000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1874421073.00000259104B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1886184112.0000025910E13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1874421073.00000259104FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1880486743.0000025910554000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1873907761.0000025910470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1886184112.0000025910E0B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1915380437.00000259295A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1883438305.00000259106D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1886184112.0000025910E15000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1873907761.000002591047C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1886184112.0000025910BD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1920186276.00000259295E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1886184112.0000025910E17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1886184112.0000025910BEE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000000.1776907358.0000025910202000.00000002.00000001.01000000.00000020.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1874421073.0000025910491000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000030.00000002.1886184112.0000025910BF0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:49
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 328987ae-dff2-409c-a138-b16d9739728b "28e860a2-285e-4a91-9ed0-d2614790e752" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"
                                                                                                  Imagebase:0x11c773b0000
                                                                                                  File size:51'248 bytes
                                                                                                  MD5 hash:26E9CCE4BD85A1FCACBF03A8C3F3DDCA
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.1849193858.0000011C77B92000.00000002.00000001.01000000.00000026.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000000.1789689253.0000011C773B2000.00000002.00000001.01000000.00000021.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.1825247533.0000011C77582000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.1846748951.0000011C776A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.1825247533.0000011C77540000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.1808902733.0000011C00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.1825247533.0000011C775CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.1825247533.0000011C7754C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:50
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 328987ae-dff2-409c-a138-b16d9739728b "e4786dfd-8714-4cf5-9610-b4bc75778433" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjMyIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzNiMTFiZDM4LTU4ZmQtNDc4My05ZDdmLWUxOGUwNDA5ZmU2YS9hM2RmNGM3ZWJmZjhmYzJjNjdkN2M5ZjU1MThmYjdmZC9kb3RuZXQtcnVudGltZS02LjAuMzItb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9hYTBiMWY3MS04ZGZjLTRiMWItOTUyNS0yMjQ5Y2Q0N2NkN2QvZWRkNDJjM2YyYmYxMTEwNjczNTVhZTFkNDU5OGZhNTEvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I2ZGIyMjYxLTQyODgtNDc0Zi04NzYyLTRlZTA2YmNiMTIyNy9lOGIxNDU4ZWE5ZjgyYjkwZTYzYmU4ZmU4YjlmMjc3NS9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80NTE1YWFhYS1jN2Q1LTQwYmYtYjdmZC1mNDc2ZDZlYTNiMWEvYzU0NWVhOTJkYmQ1Mzc3NTNhZWZiOTM3NDc4ZmQ1MzIvZG90bmV0LXJ1bnRpbWUtNi4wLjMyLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzQ4ZWRkZTFlLTFlOGYtNGRiNi1iNGRjLWM4ODI1NTZkZGE0Yi8wODRhZjllNTQ2ODZmNzBhOGRhZWNlYTJkMmZiZTJjYi9kb3RuZXQtcnVudGltZS02LjAuMzItd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6ImszRlZuUDdFQ25zUWdITm92ZTBvZmFVNXgzVFVHVDZkOFk3TmFwbTZPZWpuNXBpVXNoZlcwczc1QkJhVUR6T3hrNmxXL01BOFJnM2pqTVFIai9Eb3lRPT0iLCJNYWNYNjRDaGVja3N1bSI6IjZ2bUxDeVFPSnBrUkFtSDMxUnRYZE9tSnFuQkZEXHUwMDJCZ1VGeWxzN3hjSldvWmZcdTAwMkJuc25WWWtRc2JIYWV0TXVUcm8xaWRMcDhSVnl6RjE4NmFLQUNoSkZnUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJ3eG02bWxhZkdzWXpPTmh4WVBLSW85a3RBVkN0WC94MGVua0s0RjAwUHJQMm9FSTI3aXFPNTh2akFEOHpITUMwenRYNnBBWWZNb0hEMXoyczYzcm5SQT09IiwiV2luWDY0Q2hlY2tzdW0iOiI1Ry9MOVhSM2J0R0ZrcGFoaHpTdkVDcVNIb3J1d0FhZTZVdkk4azFNYWFvb3NiRmR5Nk4xU3NHdFB2NEpuSUs4UmxPVUtUSHU2NFZMTHRCb1RWTHFoUT09IiwiV2luWDg2Q2hlY2tzdW0iOiJTZU51SVx1MDAyQkhMaTM0L0JQL1ZKcHFqb2FaeVZDY1ZLVnNhQUdtalc5dWJyeUFrZ3pkZ2wwS2xjNENuT2ljZ01Mb2R4dVNVcU9SeVRJbUdZWmVGSzlMbW1RPT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9"
                                                                                                  Imagebase:0x1f24c6f0000
                                                                                                  File size:55'344 bytes
                                                                                                  MD5 hash:77C613FFADF1F4B2F50D31EEEC83AF30
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2565001660.000001F24D685000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2548498978.000001F24C967000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2561158849.000001F24CB20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000000.1790153909.000001F24C6F2000.00000002.00000001.01000000.00000022.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2548498978.000001F24C910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2548498978.000001F24C93D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2546695135.000001F24C790000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2565001660.000001F24D113000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2630120856.000001F265850000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2565001660.000001F24D157000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2565001660.000001F24D0B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2637942073.000001F265912000.00000002.00000001.01000000.0000004E.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2565001660.000001F24D619000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2548498978.000001F24C95A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2548498978.000001F24C91E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2630120856.000001F2657D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2565001660.000001F24D69A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2565001660.000001F24D690000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2548498978.000001F24C9A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2541404315.0000007544FF0000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2548498978.000001F24C926000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000032.00000002.2565001660.000001F24D1ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, Author: Joe Security
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:51
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:52
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:53
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 328987ae-dff2-409c-a138-b16d9739728b "d1de39b7-f261-48cb-9dc4-629b89d8a751" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"
                                                                                                  Imagebase:0x19355b40000
                                                                                                  File size:37'936 bytes
                                                                                                  MD5 hash:601E661FD5917647D8932600560E6A27
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1876523126.0000019355CFD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1876523126.0000019355CB0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1876523126.0000019355CBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1896358281.00000193567F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1893205305.0000019356432000.00000002.00000001.01000000.0000002D.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1924563744.000001936ED9F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1895211057.0000019356562000.00000002.00000001.01000000.0000002F.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1876523126.0000019355CF1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1876523126.0000019355D3D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1876523126.0000019355D92000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1896358281.0000019356912000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1896358281.0000019356869000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1876523126.0000019355CD2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1924563744.000001936ED30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1887837216.0000019355EF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000035.00000002.1896358281.0000019356671000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:54
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 328987ae-dff2-409c-a138-b16d9739728b "1d2acbd6-a090-4ad5-8aa2-025239e0beed" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ=="
                                                                                                  Imagebase:0x2baa4fd0000
                                                                                                  File size:52'272 bytes
                                                                                                  MD5 hash:3180C705182447F4BCC7CE8E2820B25D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1875519724.000002BAA5B13000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1862633775.000002BAA5108000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1875519724.000002BAA5A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1862633775.000002BAA5182000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1875519724.000002BAA5E2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1905015814.000002BABE1B5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1874241795.000002BAA5400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1905015814.000002BABE150000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1875519724.000002BAA5C56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1862633775.000002BAA5100000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1905015814.000002BABE168000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1875519724.000002BAA5BDD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.1862633775.000002BAA513B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:55
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:false

                                                                                                  General

                                                                                                  Target ID:56
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:57
                                                                                                  Start time:08:40:33
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:58
                                                                                                  Start time:08:40:34
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 328987ae-dff2-409c-a138-b16d9739728b "0b89ae87-0eed-4d02-93ce-0ff8d9af8844" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
                                                                                                  Imagebase:0x7ff71d680000
                                                                                                  File size:160'336 bytes
                                                                                                  MD5 hash:EEB8806784553B29F5E8CE3F3566C452
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.1811224169.000001F4715B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.1811224169.000001F4715BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:59
                                                                                                  Start time:08:40:34
                                                                                                  Start date:04/09/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff620390000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Executed Functions

                                                                                                    Function 00007FF7C0CD5BC7 Relevance: 2.6, Strings: 2, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: M_H$M_I
                                                                                                    • API String ID: 0-3273742694
                                                                                                    • Opcode ID: 1f0142619af8713dea19c8162a55852761043771a83146f06a5b5529f1ba30bf
                                                                                                    • Instruction ID: c26d6026988dba88dc9025b96760e7b35dcc6a4f712a92aabf37875c9c697eca
                                                                                                    • Opcode Fuzzy Hash: 1f0142619af8713dea19c8162a55852761043771a83146f06a5b5529f1ba30bf
                                                                                                    • Instruction Fuzzy Hash: 4211E66570EB859FD7259738A4002A9F760FF8523031047EBC08A8BA4BCE34FA16C7C4
                                                                                                    Function 00007FF7C0CD49B5 Relevance: 1.6, Strings: 1, Instructions: 363COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ^C
                                                                                                    • API String ID: 0-2435731436
                                                                                                    • Opcode ID: 2c825ccab857f152784aa764b457b3964be4e14aeb923d1dd4642376db46198a
                                                                                                    • Instruction ID: f478dd63ed4631a47744002282b19d58f80785a9478b1b40a87f4207a41b7ddc
                                                                                                    • Opcode Fuzzy Hash: 2c825ccab857f152784aa764b457b3964be4e14aeb923d1dd4642376db46198a
                                                                                                    • Instruction Fuzzy Hash: 10C13C7290D7954FD321BB7898521E8BBE0EF52331B8846FBD28CCB693DB1C644583A5
                                                                                                    Function 00007FF7C0CD5BA8 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: M_H
                                                                                                    • API String ID: 0-372873180
                                                                                                    • Opcode ID: 27011281b018c797829829bf37d6b6f1c88b5c97de035c7d4c8a469706ce729f
                                                                                                    • Instruction ID: ca023e8b050bb0a8960cb3eea2b31f6165b2846d95685aaa3ff2861c7dc27f47
                                                                                                    • Opcode Fuzzy Hash: 27011281b018c797829829bf37d6b6f1c88b5c97de035c7d4c8a469706ce729f
                                                                                                    • Instruction Fuzzy Hash: 0351C370A1CB488FD728EB6C98552B9BBE1FF99321B10427FD04DC3692CF24A81687C1
                                                                                                    Function 00007FF7C0CD5A78 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: M_H
                                                                                                    • API String ID: 0-372873180
                                                                                                    • Opcode ID: 7ad487edde35a1a1eacf2732e2eca44e32ce26504ea306023842b5786d5bd1c0
                                                                                                    • Instruction ID: 373d92d116b8b6d2f215cd56cdad0d244f6321b0e63833841cb8d9819be3bdd4
                                                                                                    • Opcode Fuzzy Hash: 7ad487edde35a1a1eacf2732e2eca44e32ce26504ea306023842b5786d5bd1c0
                                                                                                    • Instruction Fuzzy Hash: 7B21D3B120EA895FD328576CD8153BCFB50FF8622631047EBC04AC728BDE70A52687C5
                                                                                                    Function 00007FF7C0D9061D Relevance: .4, Instructions: 408COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327802031.00007FF7C0D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0d90000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9ef1a99609a39ce3931f27204d16925dd399e0ffe172f52032bbc8c31e843062
                                                                                                    • Instruction ID: d4416716d714dfabd33e7971d8aba756915e54a776063d823c7817109ee86343
                                                                                                    • Opcode Fuzzy Hash: 9ef1a99609a39ce3931f27204d16925dd399e0ffe172f52032bbc8c31e843062
                                                                                                    • Instruction Fuzzy Hash: ACB11870B0CA494FD799EB2C98596757BE1EF56320B0442BED04EC72A3DE19AC428BD1
                                                                                                    Function 00007FF7C0D900D6 Relevance: .2, Instructions: 238COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327802031.00007FF7C0D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0d90000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 09dd126c31616c864ac24e9d178ffaa38d30b7d2e4f623945a38e86cc573b803
                                                                                                    • Instruction ID: 7dfeae46ba488bdd39a7fcb29038d20b86f1483d6606975de4ddd704ac04f104
                                                                                                    • Opcode Fuzzy Hash: 09dd126c31616c864ac24e9d178ffaa38d30b7d2e4f623945a38e86cc573b803
                                                                                                    • Instruction Fuzzy Hash: 2A51C470B0CA0C4FD758EF1CE855A74B7E1FB99720B5502BAE44AC72A6CE25FC428781
                                                                                                    Function 00007FF7C0CD0970 Relevance: .2, Instructions: 237COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ccafacbd64dce8693fa6ea2cf0deba992d81d1c6dfff52ad1c733977e9f2905f
                                                                                                    • Instruction ID: 3551eae76b56c7709dcf3014891b0ff8b2583f71486fd127344990804a81513a
                                                                                                    • Opcode Fuzzy Hash: ccafacbd64dce8693fa6ea2cf0deba992d81d1c6dfff52ad1c733977e9f2905f
                                                                                                    • Instruction Fuzzy Hash: DD913C70908A1D8FDB99EF28C8987E8B7A1FF59304F6045E9C00ED7296DF356A81CB50
                                                                                                    Function 00007FF7C0CD5C5E Relevance: .2, Instructions: 233COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc0660b40368122814cc15f145f7c7ac04bb36e2d2ad23a3863b2af83aee2841
                                                                                                    • Instruction ID: 248309a62414b943b96bbf19d4082621d776633c90af3feb5c76fbd40ec5f57f
                                                                                                    • Opcode Fuzzy Hash: bc0660b40368122814cc15f145f7c7ac04bb36e2d2ad23a3863b2af83aee2841
                                                                                                    • Instruction Fuzzy Hash: C551F471A18A184FEB19AB6C98552F9B7E1FF99321F00427FD04EC3282DF24B80687C1
                                                                                                    Function 00007FF7C0CD1F9E Relevance: .2, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5ad2f97c4ee6cf91099a8dc4d0a0fdf764c80ccf765547fae2ebba01adbae865
                                                                                                    • Instruction ID: 7308a1fa8ab3796a79e362dd382d66515a9b7ba5d2db645a0de685d5ec0be916
                                                                                                    • Opcode Fuzzy Hash: 5ad2f97c4ee6cf91099a8dc4d0a0fdf764c80ccf765547fae2ebba01adbae865
                                                                                                    • Instruction Fuzzy Hash: 3C612A3490965D8FDBA5EF68C4547EDB7B1FF65310F6041AAC20EE3291CB386985CB50
                                                                                                    Function 00007FF7C0CD53D3 Relevance: .2, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c24d5298f783a9fed7c45cca0c8d1b79d9520be937366a042162832d5618313a
                                                                                                    • Instruction ID: 27602580ecbef533de128cf24dad90bd99abf50ada09be9d9ba785ccf6af7416
                                                                                                    • Opcode Fuzzy Hash: c24d5298f783a9fed7c45cca0c8d1b79d9520be937366a042162832d5618313a
                                                                                                    • Instruction Fuzzy Hash: CA515B62A0E68A1FD712FF28EC522EA7B90EF52365B0443B7D14CCB293DE1878058795
                                                                                                    Function 00007FF7C0D904DE Relevance: .1, Instructions: 144COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327802031.00007FF7C0D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0D90000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0d90000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 56600767021af6f7bb391396bd9a675ecf491cfd015692c273e7c696f61e70d8
                                                                                                    • Instruction ID: 56f523f674a246f57aa102c7244c1b64b3ec481fc74a109fc94230e33d0673e2
                                                                                                    • Opcode Fuzzy Hash: 56600767021af6f7bb391396bd9a675ecf491cfd015692c273e7c696f61e70d8
                                                                                                    • Instruction Fuzzy Hash: 8341F671B0DB854FE3869B3C98556647FE0EF5A22030942FBC089C72B7DE68AC46C791
                                                                                                    Function 00007FF7C0CD1292 Relevance: .1, Instructions: 125COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4f3661c736e3709e5404d847f4921ab49a39b174405b9b3a6f2032b9027d49bd
                                                                                                    • Instruction ID: 5b7cca9c3b16baef36520cbba2b046635cb6cb0c5ef246df6919fa791b239b6e
                                                                                                    • Opcode Fuzzy Hash: 4f3661c736e3709e5404d847f4921ab49a39b174405b9b3a6f2032b9027d49bd
                                                                                                    • Instruction Fuzzy Hash: 9C418930C093AA9FE765DA6888953E9B7F0EF06710F4440F9C08AD72A2DA386D85CF51
                                                                                                    Function 00007FF7C0CD1097 Relevance: .1, Instructions: 109COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8504b3ad6b161be17187c34b8b9ec6a05c7de4b07dfeb08e43cd5be3ec07672b
                                                                                                    • Instruction ID: 1b7adfd3f4d872528ae2c2c9c0a93ffa0b73c5fc71fe588acf1f20d47a57034f
                                                                                                    • Opcode Fuzzy Hash: 8504b3ad6b161be17187c34b8b9ec6a05c7de4b07dfeb08e43cd5be3ec07672b
                                                                                                    • Instruction Fuzzy Hash: 2A415970D093599FE769AF2494943FCF6B0AF06320F9010BDD14AA7292CB786984CF14
                                                                                                    Function 00007FF7C0CD3EFA Relevance: .1, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ee7ebc9430f8fb38e35e057e066b64102dd52ab08611ed7877c0fd841d8f46dd
                                                                                                    • Instruction ID: dfa2317b7b557f5a477f7071635d92f22fca834919d18f4084e6262acacea16d
                                                                                                    • Opcode Fuzzy Hash: ee7ebc9430f8fb38e35e057e066b64102dd52ab08611ed7877c0fd841d8f46dd
                                                                                                    • Instruction Fuzzy Hash: 8B3103B2A086894FD742EF78EC522DA3BE0EF40320B04457AE56DC7283CA34A4568796
                                                                                                    Function 00007FF7C0CD1E9D Relevance: .1, Instructions: 91COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 90c4648f0e66533764241bdd106e064e90ad6ee8468c438c0c2922a9a10059cf
                                                                                                    • Instruction ID: bb9657f9a77f5bb042026a688b2437c5da58a2a1630698d391e4cef6312470c6
                                                                                                    • Opcode Fuzzy Hash: 90c4648f0e66533764241bdd106e064e90ad6ee8468c438c0c2922a9a10059cf
                                                                                                    • Instruction Fuzzy Hash: 48319130909B998FDBAADB28C814798B7F1EF46360F4005EEC04ED72A2CB795D85CB51
                                                                                                    Function 00007FF7C0CD2042 Relevance: .1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6a669532a96c14ca904c8fa45fe71dc63d7eb65f479ccfa740ba511cfa40fcfe
                                                                                                    • Instruction ID: 5142445bddddc28b879f2fde68ee99925394f707f3b5fc3356f4f3716d895604
                                                                                                    • Opcode Fuzzy Hash: 6a669532a96c14ca904c8fa45fe71dc63d7eb65f479ccfa740ba511cfa40fcfe
                                                                                                    • Instruction Fuzzy Hash: A721E934A08A1E8AEB64EE54C4407FDF3A1FF65311F9091B9C24EE3681CB347985CBA1
                                                                                                    Function 00007FF7C0CD269D Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4730d9a0adc64a2079c93d510a19608233047b5f57d6656a6cc58010e24c8ffb
                                                                                                    • Instruction ID: a7c480a25ff5bbc96f98fff12643d19b86ffb3214cfd9405ab4f92ec7dc9b53a
                                                                                                    • Opcode Fuzzy Hash: 4730d9a0adc64a2079c93d510a19608233047b5f57d6656a6cc58010e24c8ffb
                                                                                                    • Instruction Fuzzy Hash: E711E071C0CB8D9FE715AFA0C8152EDFBB0EF16310F4001BAD109E32C2DBA8A4448B91
                                                                                                    Function 00007FF7C0CD468E Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b8e5eb9f7cace3f9b297a4fa4b9189772f1e8212979cc1f1f24f59de2009227a
                                                                                                    • Instruction ID: 23e6b55eda868873b2e3b721659d909073798bd8d39d40572dd548c0f4d13020
                                                                                                    • Opcode Fuzzy Hash: b8e5eb9f7cace3f9b297a4fa4b9189772f1e8212979cc1f1f24f59de2009227a
                                                                                                    • Instruction Fuzzy Hash: 3001922161CA894FD795EB2C8494AA0BBE1EF9522034941EAD54AC7292DB18F846C791
                                                                                                    Function 00007FF7C0CD2615 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 15afc1ac4984044b7ba8dc8349fee3cb172226cd5774cc280b932e9a778f934c
                                                                                                    • Instruction ID: 916acc32539038d7d48da651d4e2c87b38f1dae5dde852f8310d010858a02e24
                                                                                                    • Opcode Fuzzy Hash: 15afc1ac4984044b7ba8dc8349fee3cb172226cd5774cc280b932e9a778f934c
                                                                                                    • Instruction Fuzzy Hash: 1E118F7180DBCD9FEB52EB7888189A9BFA0EF56310F4900FBE558C71A3D6246944CB52
                                                                                                    Function 00007FF7C0CD376D Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c0c12d0cf315901c7bb279cf0aa8b12b78e63faac6cd0437d80619802679fdd2
                                                                                                    • Instruction ID: aeb342efeca5253f2fae72d2966c5ab6d24e63a0376a94333af02b0a11abb2ab
                                                                                                    • Opcode Fuzzy Hash: c0c12d0cf315901c7bb279cf0aa8b12b78e63faac6cd0437d80619802679fdd2
                                                                                                    • Instruction Fuzzy Hash: 3001C0B190DBCA4FE711BF248C192E8BBA0FF52214F4900AAD868C7192CE24A815C7A0
                                                                                                    Function 00007FF7C0CD0FA2 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 87016dfeb855c73270ad3b01228a4acbe934938aaff91aab2f3b6e53c2164aaf
                                                                                                    • Instruction ID: b03f36e4c057c30991a9283952d3a373d67a7051d54d715728ef4c5c4c884520
                                                                                                    • Opcode Fuzzy Hash: 87016dfeb855c73270ad3b01228a4acbe934938aaff91aab2f3b6e53c2164aaf
                                                                                                    • Instruction Fuzzy Hash: 251106709186598FD7A9EF24C8957E9BBB1EF55320F6004FDD00AE72A2CB396984CF50
                                                                                                    Function 00007FF7C0CD37F5 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 573e62845e8a8676c4d5fc40a2c2b3c2777f5f215d1496979499668927b8619d
                                                                                                    • Instruction ID: 3776708211e27ba3543805391a2f370bc818bc6f70af3b188750a6d68d140d29
                                                                                                    • Opcode Fuzzy Hash: 573e62845e8a8676c4d5fc40a2c2b3c2777f5f215d1496979499668927b8619d
                                                                                                    • Instruction Fuzzy Hash: 4001BC61A0DB864FE3025F2088691E9BBA0FF1222074940F3D969CB1D3DE18E816C391
                                                                                                    Function 00007FF7C0CD13C3 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 44ee6defd7ffddd567effe0a26abf5c46ea4a288589add6aae239a95960a9cb5
                                                                                                    • Instruction ID: fb7caf544294e1ab4e787178257e0f83acbe94871d075054c9893e9a77871931
                                                                                                    • Opcode Fuzzy Hash: 44ee6defd7ffddd567effe0a26abf5c46ea4a288589add6aae239a95960a9cb5
                                                                                                    • Instruction Fuzzy Hash: 9A017571D1876A9FD7A4DE2484543FDB7F1EF15710F9401B9C00DC66A1DA386985CF40
                                                                                                    Function 00007FF7C0CD4709 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0e04c11707d662f130151d2d2262afe041dda2cefaccc9b9ba333ba1bbf1432a
                                                                                                    • Instruction ID: 3f1772427ad3d05c5f9523fb731d32cb2fd78782e7697644a698cef71aa59ee2
                                                                                                    • Opcode Fuzzy Hash: 0e04c11707d662f130151d2d2262afe041dda2cefaccc9b9ba333ba1bbf1432a
                                                                                                    • Instruction Fuzzy Hash: A7F04C7150DB945FD302AB3484186E1BFE0EF8716074906EFC849C7273DA2CA855C3D1
                                                                                                    Function 00007FF7C0CD46B0 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6162fad5f970707124dd3bca3cf617f271cecbd57578c696c2b0f64037bb9d69
                                                                                                    • Instruction ID: 380cfb2ff167f9c52437b3ac7db46c9b9bd7689dd1f708cd1f108dee5600826d
                                                                                                    • Opcode Fuzzy Hash: 6162fad5f970707124dd3bca3cf617f271cecbd57578c696c2b0f64037bb9d69
                                                                                                    • Instruction Fuzzy Hash: 8CF06231714D094F8B98EB1CC494AB5B7E2FF983203444199D40EC3395DF25E8428791
                                                                                                    Function 00007FF7C0CD3960 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dcc95ed82f9c977e5693d87652b0fc7cf246eabf91d00244ebadad963bfe1e93
                                                                                                    • Instruction ID: 2f612e668536fff004728e358ccb84ede3b46ed46e9f55c5d041c2b31311f199
                                                                                                    • Opcode Fuzzy Hash: dcc95ed82f9c977e5693d87652b0fc7cf246eabf91d00244ebadad963bfe1e93
                                                                                                    • Instruction Fuzzy Hash: 50F05C71518E185FD341BB3880082E5B7D0FF48264B4406BAC80AD3275DD29AC9183C5
                                                                                                    Function 00007FF7C0CD1044 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8abceab1038f889f2a6449b81d57a891b93ca1b1165f756acec965e791d73863
                                                                                                    • Instruction ID: d48eb12f39cbd928dbee5fc8fae4ed2b172e350a4bcf986126257be875ad195f
                                                                                                    • Opcode Fuzzy Hash: 8abceab1038f889f2a6449b81d57a891b93ca1b1165f756acec965e791d73863
                                                                                                    • Instruction Fuzzy Hash: 9DF0A0709095888FDB8ADB2488557D87BF0EF55310F1040ED844AC72A2DA3819848B00
                                                                                                    Function 00007FF7C0CD5AD3 Relevance: .0, Instructions: 7COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000009.00000002.1327650776.00007FF7C0CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CD0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_9_2_7ff7c0cd0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24a91a30bff478123c3fdab69a48c841a76616b0aba63bd6c18ea905e194da35
                                                                                                    • Instruction ID: 06f517164b7843d15b05e91e23bc5e74e4f05cc564eb5cd390538acaffa8c279
                                                                                                    • Opcode Fuzzy Hash: 24a91a30bff478123c3fdab69a48c841a76616b0aba63bd6c18ea905e194da35
                                                                                                    • Instruction Fuzzy Hash: 14A00252ACA51E01945434ADB8420D8F344CF85271BD92572EA08C434EDA8E39D606D1

                                                                                                    Executed Functions

                                                                                                    Function 00007FF7C0CDA730 Relevance: 2.1, Strings: 1, Instructions: 876COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: [}
                                                                                                    • API String ID: 0-2479496578
                                                                                                    • Opcode ID: a23546ea59be5f61bb4224d2555029bc56221b96b7464ecabe9dfd5427e69c29
                                                                                                    • Instruction ID: 5647fe1600504b704184d4374c20881921efd08eaad2d2e4175ae5b6995dd9ef
                                                                                                    • Opcode Fuzzy Hash: a23546ea59be5f61bb4224d2555029bc56221b96b7464ecabe9dfd5427e69c29
                                                                                                    • Instruction Fuzzy Hash: B952F630A0CB464FE769AB2484552F9B7E1FF45320F5541BAD69AC72D2CF28B84293D1
                                                                                                    Function 00007FF7C0CC08CE Relevance: 1.8, Strings: 1, Instructions: 535COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H
                                                                                                    • API String ID: 0-2852464175
                                                                                                    • Opcode ID: 182b697f7db04151c2cbe2a435897cb36d4fc10c10288f239b293c555eb26679
                                                                                                    • Instruction ID: 3a6aa3e6f50917743af8c02863b0a008d4f5367a092ab9706cbb60a819f85dd3
                                                                                                    • Opcode Fuzzy Hash: 182b697f7db04151c2cbe2a435897cb36d4fc10c10288f239b293c555eb26679
                                                                                                    • Instruction Fuzzy Hash: 4D125A709086198FDBA9EF28C4A47E8B7B1FF59314F6045EEC00ED7296CB356985CB50
                                                                                                    Function 00007FF7C0CFE5E0 Relevance: 1.3, Instructions: 1308COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6f488ba4ca23c11045426f2d6d57151f312dc590ca4445ecbfa09d37b8cf1d16
                                                                                                    • Instruction ID: 51ee35fe8c83d35aba6bab33c97a45fc7b2ea7f4fe0155d562d1e037e28ec04e
                                                                                                    • Opcode Fuzzy Hash: 6f488ba4ca23c11045426f2d6d57151f312dc590ca4445ecbfa09d37b8cf1d16
                                                                                                    • Instruction Fuzzy Hash: 53927D70618A4A8FDB98EF28C495AA9B7E1FF98350F504579E50EC7292DF34F842C781
                                                                                                    Function 00007FF7C0D057F0 Relevance: .8, Instructions: 787COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dab4eec164b23d32e53892a281771414df1d67cca79aadedb273ce5e4c39a221
                                                                                                    • Instruction ID: a49ed8aa8ce2d71bf57e121e4e0af8b0230bbab69199705666458668124d7c7e
                                                                                                    • Opcode Fuzzy Hash: dab4eec164b23d32e53892a281771414df1d67cca79aadedb273ce5e4c39a221
                                                                                                    • Instruction Fuzzy Hash: 0C429F3090CA498FEB58EF28D8456A9B7E1FF55320F5041BAD48EC7292DF35B846CB91
                                                                                                    Function 00007FF7C0CDB1B1 Relevance: .6, Instructions: 623COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cf6d9dde9618b8d368454979acc78fe037a0f46d0bae989bd636886109908a62
                                                                                                    • Instruction ID: 3f6ea8ddbc2a43b47e6e8b5d2fe1115ca28e4fbe9261d70d859f1f40244188b8
                                                                                                    • Opcode Fuzzy Hash: cf6d9dde9618b8d368454979acc78fe037a0f46d0bae989bd636886109908a62
                                                                                                    • Instruction Fuzzy Hash: 4312C53060CB458FD759EB2894956B9BBE1FFA5310F1442AED48AC7292DF34B846CBC1
                                                                                                    Function 00007FF7C0EA5A02 Relevance: .6, Instructions: 550COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1fd0e796b330f4bece9a23cfd2fe80c41e4515b7680e063c21b883b29ddd9693
                                                                                                    • Instruction ID: e1cff6b6a0eb6a61b08c3394a94e694a42187fa2fddd039945829fc5d4a30c43
                                                                                                    • Opcode Fuzzy Hash: 1fd0e796b330f4bece9a23cfd2fe80c41e4515b7680e063c21b883b29ddd9693
                                                                                                    • Instruction Fuzzy Hash: 0CD10421B5CA464FE769B73C54562B9BBD1EF89360B8401BAD44EC33D3DE28B85283D1
                                                                                                    Function 00007FF7C0EA79BD Relevance: .5, Instructions: 467COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3e9794c01e4388d6b14cc966acb8bb8986d3352ae3a0428cc230b3eaf03a8154
                                                                                                    • Instruction ID: 9a279484f079588a75efbacfcdfdb29d8ecb59ffbcf243c5b435d47bd9a0f0e8
                                                                                                    • Opcode Fuzzy Hash: 3e9794c01e4388d6b14cc966acb8bb8986d3352ae3a0428cc230b3eaf03a8154
                                                                                                    • Instruction Fuzzy Hash: 2A02CF30908A468FD759EF29C4906A9FBF1FF59320F5445AEC08AC7792CB38B552CB90
                                                                                                    Function 00007FF7C0EA31C8 Relevance: .3, Instructions: 337COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: db3f537612d4999e81e98cf6ad776d66c8f48a1e520c8b9aafda11c41707d254
                                                                                                    • Instruction ID: d1724a50a53496a3ec02c2f021377f293318d3dafd44c172ca4ea20793f17923
                                                                                                    • Opcode Fuzzy Hash: db3f537612d4999e81e98cf6ad776d66c8f48a1e520c8b9aafda11c41707d254
                                                                                                    • Instruction Fuzzy Hash: 3EA16331A5CA064BE754BF3844952B9EAD2EF9D370F90463EE04EC73D2DF28B8558291
                                                                                                    Function 00007FF7C0EA3CF8 Relevance: .1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c825917fb317a18e2c44e7b0ae07df2115b62dfb8e519cbdcd1dc22943b0201b
                                                                                                    • Instruction ID: 311971dd9ad16d491e355f01e8df350e594c09d00427a26c5bb1923494cf55f9
                                                                                                    • Opcode Fuzzy Hash: c825917fb317a18e2c44e7b0ae07df2115b62dfb8e519cbdcd1dc22943b0201b
                                                                                                    • Instruction Fuzzy Hash: A0413AA1A0D6914FC31DEE2D54D05767F92EFAA11078441FDC8898B3CBCA28E965C7F1
                                                                                                    Function 00007FF7C0EA5FFD Relevance: .1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e7641bab9e300eb4e57e83255c07f0dbc92c2d22039b6bee760dd43930d8d31b
                                                                                                    • Instruction ID: 8f81277ebc257eac09a7e8aa14267b45efee0ff3fbf02950b29a753a7973af8f
                                                                                                    • Opcode Fuzzy Hash: e7641bab9e300eb4e57e83255c07f0dbc92c2d22039b6bee760dd43930d8d31b
                                                                                                    • Instruction Fuzzy Hash: 8A4136A290D2A14FC31DDF2988D04767F92EFA610178881EEC8858F3DBC928E954C7F1
                                                                                                    Function 00007FF7C0D1F303 Relevance: .1, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 14a9ffdfa1c9cd7840e1153bfac53f10f06ec307fdcb5506f9a87899213db647
                                                                                                    • Instruction ID: 07377c3f9c8448288e4499ee2f86252478097041df174717ac3bd5c737328715
                                                                                                    • Opcode Fuzzy Hash: 14a9ffdfa1c9cd7840e1153bfac53f10f06ec307fdcb5506f9a87899213db647
                                                                                                    • Instruction Fuzzy Hash: DE316B70E1895D8FDB48EF68D495AADB7B1FF54314F50462AD00AD7292CF34A882CB81
                                                                                                    Function 00007FF7C0CC46B6 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e16d8973b7ee45e4989fa1bf35b7b3e85e8e1f4c65bc5dfea04e5024ccf45337
                                                                                                    • Instruction ID: 0ca7b1a87d4b7f93b8eb5430f26fe54d9d795efb51fb195fb613aa8d9b54a013
                                                                                                    • Opcode Fuzzy Hash: e16d8973b7ee45e4989fa1bf35b7b3e85e8e1f4c65bc5dfea04e5024ccf45337
                                                                                                    • Instruction Fuzzy Hash: 5811213090961A8FD769EF64C4542EDFBB1FF06321F9425B9D049D7291CB396882CF51
                                                                                                    Function 00007FF7C0CCD3C0 Relevance: 3.6, Strings: 2, Instructions: 1101COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: FY_H$JY_H
                                                                                                    • API String ID: 0-3521067786
                                                                                                    • Opcode ID: 8100dcc82cab0e9c7f4d096a9403116177d6f9c8b505888a619d7564b2cdda15
                                                                                                    • Instruction ID: be59254c2148057abaf259943d70db16eafa113192b336082dd1603491f9927f
                                                                                                    • Opcode Fuzzy Hash: 8100dcc82cab0e9c7f4d096a9403116177d6f9c8b505888a619d7564b2cdda15
                                                                                                    • Instruction Fuzzy Hash: BA828271E085698FEBA9EB2CD8857E8B7E1FF54350F5001BAD40DD3292DF3469828B94
                                                                                                    Function 00007FF7C0CCD59B Relevance: 3.4, Strings: 2, Instructions: 895COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: FY_H$JY_H
                                                                                                    • API String ID: 0-3521067786
                                                                                                    • Opcode ID: 20bbe2ef0bdd2fb2ff0f03c0eaf4a972ed01b76f9818e665bdf826d98cf6d435
                                                                                                    • Instruction ID: 9d8d104e39f42624ffe2ae027e6ec13a3db15fbbb166c38d77b6f6ea40c18bdf
                                                                                                    • Opcode Fuzzy Hash: 20bbe2ef0bdd2fb2ff0f03c0eaf4a972ed01b76f9818e665bdf826d98cf6d435
                                                                                                    • Instruction Fuzzy Hash: 7C621F70D18A698FEBA9EB28D8957E8B7F1FF58310F5001BAD40DD3291DF3469828B54
                                                                                                    Function 00007FF7C0CDBB15 Relevance: 2.9, Strings: 2, Instructions: 409COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: iX_H$S_H
                                                                                                    • API String ID: 0-939470232
                                                                                                    • Opcode ID: b7972e4267cd4da2b166be116ce95fefe436e4c3dc5bdc7b3740deeafe235b98
                                                                                                    • Instruction ID: 0ee94561abe356da746a0e0fb137b1c3bba8579ec21d607034b4f265806a1a58
                                                                                                    • Opcode Fuzzy Hash: b7972e4267cd4da2b166be116ce95fefe436e4c3dc5bdc7b3740deeafe235b98
                                                                                                    • Instruction Fuzzy Hash: 0DB11621B1CA098FE7A4EB2CA4597B9B7D1EF99320F4501BAD50DC7396DE18AC428781
                                                                                                    Function 00007FF7C0CD1DC8 Relevance: 2.9, Strings: 2, Instructions: 364COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: &N_^$d
                                                                                                    • API String ID: 0-3381655817
                                                                                                    • Opcode ID: 81588bd259b4a63d67801d4f89fa79f205af99e06c26bdbe46544e0ce0b1da2d
                                                                                                    • Instruction ID: 3c45d02bb9e43f689d89b4e3962b1221258d0138dcd3db6cc6e96e160fa97dce
                                                                                                    • Opcode Fuzzy Hash: 81588bd259b4a63d67801d4f89fa79f205af99e06c26bdbe46544e0ce0b1da2d
                                                                                                    • Instruction Fuzzy Hash: 8FB1EF30A1CB054FD728EF1C94856B6B3E1FFA4325B5446BED28AC7652CA34F8428BD1
                                                                                                    Function 00007FF7C0CC5689 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: H$N_H
                                                                                                    • API String ID: 0-18191256
                                                                                                    • Opcode ID: 9b54cdcb924c422d5b48d73d6e01ec8c6097e4082b1b2be8abc5d8f436bcd89b
                                                                                                    • Instruction ID: 23c678f6dd7eb163b2b4b8c5dd17492309676a5fb554569866cb224240cff300
                                                                                                    • Opcode Fuzzy Hash: 9b54cdcb924c422d5b48d73d6e01ec8c6097e4082b1b2be8abc5d8f436bcd89b
                                                                                                    • Instruction Fuzzy Hash: 49517270D186498FDB54EFA8D8956EDBFF0FF59310F5405A9D049E7392CA38A882CB90
                                                                                                    Function 00007FF7C0EA3AA8 Relevance: 2.0, Strings: 1, Instructions: 739COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: _
                                                                                                    • API String ID: 0-2179862614
                                                                                                    • Opcode ID: f188576230263b6db4955353c17f65f144072aeedfdb63f2d4729fb2786e33c6
                                                                                                    • Instruction ID: 5c89d4b6e8f885169f5222b810a5ff23382417b5770ba162f1e0f77f109b34e0
                                                                                                    • Opcode Fuzzy Hash: f188576230263b6db4955353c17f65f144072aeedfdb63f2d4729fb2786e33c6
                                                                                                    • Instruction Fuzzy Hash: 5A221331B58A0A4FE368BB2C94552B5B7E2FF99360B54427DD04EC77D6CE28B8528390
                                                                                                    Function 00007FF7C0CCEAB2 Relevance: 1.7, Strings: 1, Instructions: 418COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: d34c887fb203aea5e56a12464825e783e0df9d4616b18c27dc512e0bbbceab95
                                                                                                    • Instruction ID: 8fca7e9f60740c66a1af36621240e561c7240e27553dd522b31182d342cc49c0
                                                                                                    • Opcode Fuzzy Hash: d34c887fb203aea5e56a12464825e783e0df9d4616b18c27dc512e0bbbceab95
                                                                                                    • Instruction Fuzzy Hash: 06C1F130A18B458FD769EF18C4806B5B7E1FF9A310B6445BED08AC7292DB35F8438B91
                                                                                                    Function 00007FF7C0CD523D Relevance: 1.6, Strings: 1, Instructions: 399COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ?L_H
                                                                                                    • API String ID: 0-3047738230
                                                                                                    • Opcode ID: bc4d96540f0a5d736c8acce5852bfd79b73240cfb3327bc7c1599a0e7fe9bc05
                                                                                                    • Instruction ID: a576dfb12a17a49449a6e18ab825eb513f1ce2ab5f89db619fb4a511f69165a4
                                                                                                    • Opcode Fuzzy Hash: bc4d96540f0a5d736c8acce5852bfd79b73240cfb3327bc7c1599a0e7fe9bc05
                                                                                                    • Instruction Fuzzy Hash: DCA12A71B1C94A4FE758AA2CA8562F977D1EF993A4B44427AD14EC3397EE24BC0343C1
                                                                                                    Function 00007FF7C0CD2C38 Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: daa1b7d17f06095c8c0acb202d0575fd4d3ace773405439b17784253aeff4876
                                                                                                    • Instruction ID: b26bd3d5bf6aa863692c137a6b23328371db29eee069d1fead143a520dc61a5f
                                                                                                    • Opcode Fuzzy Hash: daa1b7d17f06095c8c0acb202d0575fd4d3ace773405439b17784253aeff4876
                                                                                                    • Instruction Fuzzy Hash: 21C1F030A1CF454FD769EF188444AB5B3E1FFA8310B5446BED58AC3696CB35F8428791
                                                                                                    Function 00007FF7C0CCD058 Relevance: 1.6, Strings: 1, Instructions: 386COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 4c0bc809d82ac37c2a116e5649bccbe1420ecd1154c6fc435743f59e72fcca0f
                                                                                                    • Instruction ID: 2dcd4fc8f94bef2e37cc98a8160a5932a99f89aa99e64f186f21787d6a3bbed6
                                                                                                    • Opcode Fuzzy Hash: 4c0bc809d82ac37c2a116e5649bccbe1420ecd1154c6fc435743f59e72fcca0f
                                                                                                    • Instruction Fuzzy Hash: 39C1BC30618B058FD768EF18D481676B3E1FF99360B604ABDD18BC3696DA35F8438B91
                                                                                                    Function 00007FF7C0CD1E48 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: f7e4a7ef9d83e1e2055017c11b9227f333fa26217eaf6d3cebcc31f79d5c8728
                                                                                                    • Instruction ID: 78f825e2e917bbd09c3c351dca094f94aad6f8848b67070ec3bad459a12296ec
                                                                                                    • Opcode Fuzzy Hash: f7e4a7ef9d83e1e2055017c11b9227f333fa26217eaf6d3cebcc31f79d5c8728
                                                                                                    • Instruction Fuzzy Hash: 13C1DF3061CB458FD729EF18D481575B3E1FF98310B504ABED68BC3696CA35F8428791
                                                                                                    Function 00007FF7C0EA40A0 Relevance: 1.6, Strings: 1, Instructions: 341COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: PK00
                                                                                                    • API String ID: 0-1863955648
                                                                                                    • Opcode ID: 86002c506b3649517e63279cb52c9a0c4c4127e5fccb3636520b1e2a5981b2d0
                                                                                                    • Instruction ID: 674d5f00c9dd1029a3af70395fb753e62af2bdaf220f4616bca07120fdfe49ca
                                                                                                    • Opcode Fuzzy Hash: 86002c506b3649517e63279cb52c9a0c4c4127e5fccb3636520b1e2a5981b2d0
                                                                                                    • Instruction Fuzzy Hash: 17A1D471B4DA054FE359BB3894992B9BBD2EF9D320B44017DD44EC3792DE28BC5283A1
                                                                                                    Function 00007FF7C0EAA440 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 0=
                                                                                                    • API String ID: 0-2810649447
                                                                                                    • Opcode ID: 1ca51f2501eedd5b8c4a586e5d06c12951ae81c48983a72ea34acb71eb6bc6e6
                                                                                                    • Instruction ID: c2683394c9513a3e631f61d8f651451187f99b0740a6491a61f5463aa99d529f
                                                                                                    • Opcode Fuzzy Hash: 1ca51f2501eedd5b8c4a586e5d06c12951ae81c48983a72ea34acb71eb6bc6e6
                                                                                                    • Instruction Fuzzy Hash: F0517A30D48A1D8FDB64EF68D885BACBBB0FF59350F4445A9D00EE7282DB786985CB40
                                                                                                    Function 00007FF7C0CC5634 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: N_H
                                                                                                    • API String ID: 0-343878021
                                                                                                    • Opcode ID: f8503981a4c6af2c57af8927c322022ec5b8344bbcba2abc3207a6d17a372f1e
                                                                                                    • Instruction ID: 0a405c70a142624c3d03c8ff5a8c612781103aa7889d0d5dfb1aac91a53ebf41
                                                                                                    • Opcode Fuzzy Hash: f8503981a4c6af2c57af8927c322022ec5b8344bbcba2abc3207a6d17a372f1e
                                                                                                    • Instruction Fuzzy Hash: 3451A770D196898FDB45DFA8C8956EDBFF0FF1A310F5405ADD045E7292CA38A882CB51
                                                                                                    Function 00007FF7C0CD3E49 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: cJ
                                                                                                    • API String ID: 0-1021838454
                                                                                                    • Opcode ID: b1a06f881cbb773da228e006b31e5425c997a6dddada564ca56be228cfb0cf52
                                                                                                    • Instruction ID: 79b99c54c49d83ce66a1d9e9a0b2ce0985033cb905731c7aa50b2e4bc80a7ee4
                                                                                                    • Opcode Fuzzy Hash: b1a06f881cbb773da228e006b31e5425c997a6dddada564ca56be228cfb0cf52
                                                                                                    • Instruction Fuzzy Hash: 4641F421A4EA8A1FE3A6BB7C58551F5BFD0EF56260B4905FED189C7293CD086C838391
                                                                                                    Function 00007FF7C0CDC438 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `M_H
                                                                                                    • API String ID: 0-654622389
                                                                                                    • Opcode ID: fd65f9905b587b75742aa7b9af8d948eb0f441701a5ddddfe9632bee52f25d83
                                                                                                    • Instruction ID: 851391be7ff5f56ba118be17b126ef6bff4c8c8a963a031404b9943f610eaae3
                                                                                                    • Opcode Fuzzy Hash: fd65f9905b587b75742aa7b9af8d948eb0f441701a5ddddfe9632bee52f25d83
                                                                                                    • Instruction Fuzzy Hash: 6D41247170DA4A9FD759E72C98953E4BBD1FF59320B0542EBC08DC7296CE24B84687C1
                                                                                                    Function 00007FF7C0CD3F95 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: cJ
                                                                                                    • API String ID: 0-1021838454
                                                                                                    • Opcode ID: 48cb698f686098bd9d75b0af2a9654a010e5b2557417857e21b2246afb97fead
                                                                                                    • Instruction ID: 3b4d5baf19e0c27d0f2193f6f31e97663725f62ca67a6a1f3a2fb30319604d92
                                                                                                    • Opcode Fuzzy Hash: 48cb698f686098bd9d75b0af2a9654a010e5b2557417857e21b2246afb97fead
                                                                                                    • Instruction Fuzzy Hash: CF31F421A1CA8A4FE3B5AF6D58586B5B7D0EF5962174400B6D64DC7392DE18FC0283A1
                                                                                                    Function 00007FF7C0CD3FB0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: `T_H
                                                                                                    • API String ID: 0-888350282
                                                                                                    • Opcode ID: d2660d5657d5043666c9aba00c7ca8beec4726772dd669d3f41a8ba426268a6d
                                                                                                    • Instruction ID: 2bb6d65d291fb7876e6c9e72d3a29ce9b7e8db7fff6887ce1b03077d4a77c8f1
                                                                                                    • Opcode Fuzzy Hash: d2660d5657d5043666c9aba00c7ca8beec4726772dd669d3f41a8ba426268a6d
                                                                                                    • Instruction Fuzzy Hash: 54113D20A19F4E1FD768AB2D845C672BBD4DF99355744017EE50DC3382DE08AC0183A1
                                                                                                    Function 00007FF7C0CCEA49 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: :N_H
                                                                                                    • API String ID: 0-2180181802
                                                                                                    • Opcode ID: 518afa14e1529ffbf7c9d6fe5e7dccf545617f28dfa34d9cf5eaee94f658b9c0
                                                                                                    • Instruction ID: 920f0249624c3163876b46ecc406d1fc4b89f02130e9c5574d711f0cb3874b0e
                                                                                                    • Opcode Fuzzy Hash: 518afa14e1529ffbf7c9d6fe5e7dccf545617f28dfa34d9cf5eaee94f658b9c0
                                                                                                    • Instruction Fuzzy Hash: 36F08260A0845A6FD355DB68C4687E8BBE2EF5A360F4401EAD18DC7292CD282D83CB01
                                                                                                    Function 00007FF7C0CDAF3D Relevance: .7, Instructions: 740COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 14e5b6a2b43db440736675f1d2b418f39453403b8a44e4d65e1dd36c89f2921b
                                                                                                    • Instruction ID: bb2fc45d09c626b138377e61daf199dac4371de3ac4d6bda27f0d44704109781
                                                                                                    • Opcode Fuzzy Hash: 14e5b6a2b43db440736675f1d2b418f39453403b8a44e4d65e1dd36c89f2921b
                                                                                                    • Instruction Fuzzy Hash: 7C22C270B1CA494FE7A4AB6CA4593B9B7D1FF89324F4441BAD44EC3392DE24B84687C1
                                                                                                    Function 00007FF7C0CCB588 Relevance: .7, Instructions: 696COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dca34608a1115d89a2479a37c9fd6985ecb7e3da98c968265fe1948f4fe42ce6
                                                                                                    • Instruction ID: 798bbec64a7529f5fcf3f3ce6767df1a8b1f90dbd820444a385b632283948c82
                                                                                                    • Opcode Fuzzy Hash: dca34608a1115d89a2479a37c9fd6985ecb7e3da98c968265fe1948f4fe42ce6
                                                                                                    • Instruction Fuzzy Hash: 5E22E530A1C7454FD729EF2884916BAB7E1EF8A710F54457DE1CAC7292DF28F8068792
                                                                                                    Function 00007FF7C0EAA85D Relevance: .6, Instructions: 603COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9188f5d7d280ccb27c0939f864801872e46030245e7fbbe0c542923eb7faecc9
                                                                                                    • Instruction ID: 23682ba29962fc304539350daa6fa13e61deba45ff1d70c9707ae671b3f41600
                                                                                                    • Opcode Fuzzy Hash: 9188f5d7d280ccb27c0939f864801872e46030245e7fbbe0c542923eb7faecc9
                                                                                                    • Instruction Fuzzy Hash: 88121B30A18A5D8FDF88EF18C495AAABBE1FFA8314F550269E449D7251CB34F851CB81
                                                                                                    Function 00007FF7C0EA24A5 Relevance: .6, Instructions: 600COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ac044de8cc6a3159ae5eb5763b23fd0d869a9e4d70b76e66eaed4b6b9a857bc4
                                                                                                    • Instruction ID: 4a9552f59783b9ed3d8c33c3ee0099323123370a2c95e87e7b789c03865714e2
                                                                                                    • Opcode Fuzzy Hash: ac044de8cc6a3159ae5eb5763b23fd0d869a9e4d70b76e66eaed4b6b9a857bc4
                                                                                                    • Instruction Fuzzy Hash: 0F51A73084E6C95FD746AB7C84651E9BFF4EF0B220F4804EED185DB2A3CA186456C752
                                                                                                    Function 00007FF7C0EA39A8 Relevance: .6, Instructions: 588COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d7c2252d6a9cfc7ccb4acab295134dbb453d3d6faa07c227a0ebb1fae2ac3b98
                                                                                                    • Instruction ID: a33959338b8b165b7c749705fe78fb23be1a62b9fb981397fb61688c13737ca8
                                                                                                    • Opcode Fuzzy Hash: d7c2252d6a9cfc7ccb4acab295134dbb453d3d6faa07c227a0ebb1fae2ac3b98
                                                                                                    • Instruction Fuzzy Hash: 18F13A31B4CA454FE319AA2D9C562B5BBE1EF9A32075401BED4CAC3393DE18B91383D1
                                                                                                    Function 00007FF7C0EA093D Relevance: .6, Instructions: 565COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8a8a89497676172597f4486501c17305cb8d9780e722cc18076ecc7bb9999059
                                                                                                    • Instruction ID: 39720f3a6f313cc5599eb6e8a5b8cd4556958c7b55917f9350018e0f3bc71d30
                                                                                                    • Opcode Fuzzy Hash: 8a8a89497676172597f4486501c17305cb8d9780e722cc18076ecc7bb9999059
                                                                                                    • Instruction Fuzzy Hash: 5D02F470A48A498FEB55FF2894556F9BBE1FF99310F5401BAD00DC7293CF28B8528791
                                                                                                    Function 00007FF7C0EAAE49 Relevance: .6, Instructions: 555COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 533b7f53eeded96f3a9ea586c629b313de7f79e4bec562e02f17a638c4e436d0
                                                                                                    • Instruction ID: b53d8a6b2be9a4637e28f2ca09f12d453278130ad530d0177f8a7582c404ff9b
                                                                                                    • Opcode Fuzzy Hash: 533b7f53eeded96f3a9ea586c629b313de7f79e4bec562e02f17a638c4e436d0
                                                                                                    • Instruction Fuzzy Hash: 71E1D43074CB494FE768BB2C98556B6BBD1EF59220F5401BED08AC3393DF29B8568781
                                                                                                    Function 00007FF7C0EABC62 Relevance: .5, Instructions: 509COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bd64482f6452d862a2062c4183fcc5e7882923799a6b1d7ceb52269eb41df27c
                                                                                                    • Instruction ID: 379ade91c13bd059a9614bdb52cfe6abafb7fddde28fa0ef36bcc8fc83b24278
                                                                                                    • Opcode Fuzzy Hash: bd64482f6452d862a2062c4183fcc5e7882923799a6b1d7ceb52269eb41df27c
                                                                                                    • Instruction Fuzzy Hash: 32F12830A1CB854FD319FB2884555B5BFE1EF4A320F5445BED48AC7293DF28B8168792
                                                                                                    Function 00007FF7C0CD0B7B Relevance: .5, Instructions: 500COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 11917d444c95d030a2cc93a2c90653028ec1c2ae4a6b2378815af6fa11efdfee
                                                                                                    • Instruction ID: 3bd59ab0b2c9a6b40b07014a62a8de2c92454bb437cc884111e325bf9a3461ae
                                                                                                    • Opcode Fuzzy Hash: 11917d444c95d030a2cc93a2c90653028ec1c2ae4a6b2378815af6fa11efdfee
                                                                                                    • Instruction Fuzzy Hash: 9B027E7061C7854FD765EF2880907AAFBE1FF99310F54456DE58AC3282DB35B846CB82
                                                                                                    Function 00007FF7C0CC595A Relevance: .5, Instructions: 492COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 92e12ac83c3382a191998f6a62119c11784440684a5d9baf2578352cef2dff3a
                                                                                                    • Instruction ID: 104268c645f5f033335db6f5beed895816eae1657b5b6e9338ddaf437725469d
                                                                                                    • Opcode Fuzzy Hash: 92e12ac83c3382a191998f6a62119c11784440684a5d9baf2578352cef2dff3a
                                                                                                    • Instruction Fuzzy Hash: 56021C30D08A598FDBA4EF58C4957ECBBB1FF59310F9411A9D14ED7292CB386982CB90
                                                                                                    Function 00007FF7C0EA1DED Relevance: .5, Instructions: 491COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 28c28a6f4f471e4a435fa39f4d5f7d9b810de6689523c289cdb4f72575adcdd3
                                                                                                    • Instruction ID: f8dc22162222479c34461c4c6781dde66126434e9c79c6917dc8be5ee43931e2
                                                                                                    • Opcode Fuzzy Hash: 28c28a6f4f471e4a435fa39f4d5f7d9b810de6689523c289cdb4f72575adcdd3
                                                                                                    • Instruction Fuzzy Hash: E6F13F30608A498FDF84EF18C495AA97BE1FFAC354F5501A9E44DD7292CB35F852CB81
                                                                                                    Function 00007FF7C0CFCBC5 Relevance: .5, Instructions: 491COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 686a0b1920cf661bdc9282e43ca91f1e1c2f1a59be9c8793e0609bd5e595d78f
                                                                                                    • Instruction ID: 5bcdec583bb96948096888e6db071cd250769a84ef0c9b2cc781c831ae24e9cf
                                                                                                    • Opcode Fuzzy Hash: 686a0b1920cf661bdc9282e43ca91f1e1c2f1a59be9c8793e0609bd5e595d78f
                                                                                                    • Instruction Fuzzy Hash: 54E1583160DB894FD766EB28D8555E5BBE0EF86360F0402BEE049C7292DA25F846C7D2
                                                                                                    Function 00007FF7C0CCF578 Relevance: .5, Instructions: 467COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 857868fa032406ede2f53d48087f94b4a2efdd2934ab21a29ce351d8adb88cbd
                                                                                                    • Instruction ID: 7f0886b9cee6433bea6ab7609beef9bbe2f69b9ccbfaede11e7e69a0dbee6334
                                                                                                    • Opcode Fuzzy Hash: 857868fa032406ede2f53d48087f94b4a2efdd2934ab21a29ce351d8adb88cbd
                                                                                                    • Instruction Fuzzy Hash: BBD1A070A1CA094FDB98FB2C9845AB9B7D1FF58360B4041BAE44EC7296DE24FC5287D1
                                                                                                    Function 00007FF7C0EA0E95 Relevance: .5, Instructions: 461COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3be8c4be7ac21b4ac4ce0d659a8917b9bfbcf874b544dd2c45a05ccf63518ca6
                                                                                                    • Instruction ID: f700ede62c16292c83077ca59d272d9a406edfe17d62af75be6b87d35ffbf6f4
                                                                                                    • Opcode Fuzzy Hash: 3be8c4be7ac21b4ac4ce0d659a8917b9bfbcf874b544dd2c45a05ccf63518ca6
                                                                                                    • Instruction Fuzzy Hash: DEE1B430A1CA458FD794FB289455BB5BBE1FF98710F4441BAE04EC73A2DF28B8458791
                                                                                                    Function 00007FF7C0CD5420 Relevance: .4, Instructions: 438COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7d7498a94d57a1f63fab8d158a0ffd6277186ee24ca42487d03533fe7b10c11e
                                                                                                    • Instruction ID: 1dc13a881e6d2f87aa9fe63c59e91927f36700d34b4557999010cbdcf3ca6246
                                                                                                    • Opcode Fuzzy Hash: 7d7498a94d57a1f63fab8d158a0ffd6277186ee24ca42487d03533fe7b10c11e
                                                                                                    • Instruction Fuzzy Hash: C6D1BE31A08A4A8FEB65BF18D4556F9F7E1FF94321F94427AD10DC3282DB24B84187D2
                                                                                                    Function 00007FF7C0CDC06B Relevance: .4, Instructions: 429COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 80d57abdd16f9033586a549a12731e0789b35d1dfd49efa1961dea9737e379ea
                                                                                                    • Instruction ID: af3811df3ac7144ff73189c67ab7ea286cde0edf2feca2e51f3e7e056fcdf99e
                                                                                                    • Opcode Fuzzy Hash: 80d57abdd16f9033586a549a12731e0789b35d1dfd49efa1961dea9737e379ea
                                                                                                    • Instruction Fuzzy Hash: 9DD19170A18A4A8FDB94FF288498BB9B7D1EF58310F4441BAD80EC7397DE24F8458791
                                                                                                    Function 00007FF7C0CCC988 Relevance: .4, Instructions: 408COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fab1b085e1827d3fb328fb7466e542eb869f15f0f12be303842afda333032c61
                                                                                                    • Instruction ID: f121dac9f9022bebccc6c7f7b78a9ec4b5176da99227cca6011edb9e1dce3719
                                                                                                    • Opcode Fuzzy Hash: fab1b085e1827d3fb328fb7466e542eb869f15f0f12be303842afda333032c61
                                                                                                    • Instruction Fuzzy Hash: B8B1D431B1C9494FE358EB2CD8996B4B7D1EF99360B5442BED04EC32A7DE24B8468781
                                                                                                    Function 00007FF7C0CDAF01 Relevance: .4, Instructions: 405COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 47aab1568a2223529ecdbfd5e70f365100ba3836d2c7d34d84fb349ea1804943
                                                                                                    • Instruction ID: 35f4b4bb1c6c88f9a12777b68cac26e184fb02467b6fe9608e126212793a0b2c
                                                                                                    • Opcode Fuzzy Hash: 47aab1568a2223529ecdbfd5e70f365100ba3836d2c7d34d84fb349ea1804943
                                                                                                    • Instruction Fuzzy Hash: AAC1E430A0CB498FDB64EF2898555E9BBE1EF99320B5401BED44AC7393DF24B84687D1
                                                                                                    Function 00007FF7C0EA7F90 Relevance: .4, Instructions: 385COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5a6fcbf221d8abc08e053a6ffc55a34d06bf6127050d5c6e66e1b4bf35004b80
                                                                                                    • Instruction ID: fe64d586e00c8ef1af505086bf3d539bab80377a0a861040bda8726fbbd7fa36
                                                                                                    • Opcode Fuzzy Hash: 5a6fcbf221d8abc08e053a6ffc55a34d06bf6127050d5c6e66e1b4bf35004b80
                                                                                                    • Instruction Fuzzy Hash: 15A13931A6CA454FF30DBA2C98516B5BBD1FB8A328F94067DD4DBC3683DA18B85342D1
                                                                                                    Function 00007FF7C0CD5325 Relevance: .4, Instructions: 383COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8f8c464a756b08e8e6f4fa4f668785dc19fc83ed979f4c3544b2aaa00cdc89a6
                                                                                                    • Instruction ID: 94ce37bc94c698fc8ec390c77a9e49117df243c753758462cdd4f88be228651a
                                                                                                    • Opcode Fuzzy Hash: 8f8c464a756b08e8e6f4fa4f668785dc19fc83ed979f4c3544b2aaa00cdc89a6
                                                                                                    • Instruction Fuzzy Hash: CCB1C031A0CA498FDB94EF2CD4496B9B7E1EF98320B54017AD44EC3296DF25B882C7D1
                                                                                                    Function 00007FF7C0EA425D Relevance: .4, Instructions: 360COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8fcdaff214eebcf0526a479ddd9a45e3815346f42804eda53893a0b3799e3e1c
                                                                                                    • Instruction ID: 1d33c2411d04aaa4dfe933954c4338db9275579300a4b4e0ff3f60dadf769f94
                                                                                                    • Opcode Fuzzy Hash: 8fcdaff214eebcf0526a479ddd9a45e3815346f42804eda53893a0b3799e3e1c
                                                                                                    • Instruction Fuzzy Hash: BDB1CE30A49E468FE359FB388495665BBD2EF98324B90057DD05AC37A2CF28B852C790
                                                                                                    Function 00007FF7C0CCA5A0 Relevance: .4, Instructions: 355COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6f67633d895c7b60d16cd4a7fe6626ddd8f657c1f30f9dceba21732f7a0a54b2
                                                                                                    • Instruction ID: 8c5f3de7f8baaf3ee16b64bee8f77104c177bb1a2af7acba27c24db21ede6a8f
                                                                                                    • Opcode Fuzzy Hash: 6f67633d895c7b60d16cd4a7fe6626ddd8f657c1f30f9dceba21732f7a0a54b2
                                                                                                    • Instruction Fuzzy Hash: 69B1263060DA494FDB65EF3898516B5B7E1FF49324B5446BEC08DC7297CA28B846C3D1
                                                                                                    Function 00007FF7C0CCF799 Relevance: .3, Instructions: 342COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1c570b490c911c13f53f47a7414c5984e9b018af5e657e0a48241b290795e916
                                                                                                    • Instruction ID: ad319593e5ec41f82e5e9a7ceea61070a58aac238ff8db62bcb768431ac2c4b3
                                                                                                    • Opcode Fuzzy Hash: 1c570b490c911c13f53f47a7414c5984e9b018af5e657e0a48241b290795e916
                                                                                                    • Instruction Fuzzy Hash: 0EB1D661A0895A4FD7A5EF2CC4687B477E2EF95760B8901F6C04DCB3A3DE24BC468391
                                                                                                    Function 00007FF7C0CECC88 Relevance: .3, Instructions: 337COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 573130d0136915e19e49ce86d6b694a97e2228db9601dd4ad7eee2fa9a919b0b
                                                                                                    • Instruction ID: e82dab4ecb05820efc71c272f774a388c8c293d63afdc4674f207dbe07d1d8eb
                                                                                                    • Opcode Fuzzy Hash: 573130d0136915e19e49ce86d6b694a97e2228db9601dd4ad7eee2fa9a919b0b
                                                                                                    • Instruction Fuzzy Hash: 69916A71F1C98A4FE368AA2C58861B977D2EF997A0B4401BED14EC3387DE24BC034381
                                                                                                    Function 00007FF7C0CC360B Relevance: .3, Instructions: 327COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: adc7d1338bb2f0544f2e716a2fef05c8ac167cdc46161b4bbab774e7eaca5bf8
                                                                                                    • Instruction ID: db684dd5fa7edd3735bc1c694cdf2e6221a264b04a25548a7624d8eb2db3b353
                                                                                                    • Opcode Fuzzy Hash: adc7d1338bb2f0544f2e716a2fef05c8ac167cdc46161b4bbab774e7eaca5bf8
                                                                                                    • Instruction Fuzzy Hash: EFA1E86280D1525BD31277B8B8536F97B94DF52375B4882B7E19CCA2C38F1C70A683E9
                                                                                                    Function 00007FF7C0D0A310 Relevance: .3, Instructions: 310COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ed3f6d0568440fc277c6bfcdeb23228153eaba0559a16b26ebdd5e3e68e1bdc6
                                                                                                    • Instruction ID: fc3e432d048c7dcf6d9571695a18c2088077b59994d3ae6dedb648d6e547c934
                                                                                                    • Opcode Fuzzy Hash: ed3f6d0568440fc277c6bfcdeb23228153eaba0559a16b26ebdd5e3e68e1bdc6
                                                                                                    • Instruction Fuzzy Hash: A5912531A0CA494FE758EB6C98593B9B7D0FF59324F4001BBD04EC7392DE68B8468791
                                                                                                    Function 00007FF7C0CD3024 Relevance: .3, Instructions: 304COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 818cc9d94d189a68632810fdcf8d2fddab78aa6c274282b98d272fc61a020826
                                                                                                    • Instruction ID: 869308f843723c54ccb4b713a2c52715ceec5c67a39e163c1c098c35ee5b4764
                                                                                                    • Opcode Fuzzy Hash: 818cc9d94d189a68632810fdcf8d2fddab78aa6c274282b98d272fc61a020826
                                                                                                    • Instruction Fuzzy Hash: 6591F070A1CB4A8FD768EF2894855B6B3E1FF95320B50467ED09AC3296DF34F8428790
                                                                                                    Function 00007FF7C0EA7F6D Relevance: .3, Instructions: 302COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8922db011e51409804461520e1b5605c0b6bb5bbf9635098c79f021f6c109caa
                                                                                                    • Instruction ID: c81a86a67d16eb6be78573db16f0da9f26f268e0c8f3c822c402eedd536a47c8
                                                                                                    • Opcode Fuzzy Hash: 8922db011e51409804461520e1b5605c0b6bb5bbf9635098c79f021f6c109caa
                                                                                                    • Instruction Fuzzy Hash: A0812531A6CA554FF31CBE2C98916B5BAC1FB89724F94067DD4DBC3683DA18B82342D1
                                                                                                    Function 00007FF7C0CC6C31 Relevance: .3, Instructions: 295COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 023bd70d57e119b5a022abf3683fe3edd544c61e1c48c3a90fbb7993d60c8ad1
                                                                                                    • Instruction ID: 3e5cb1ff4e05b524b4dc3cdf63dad41733bbe6c1f6356296500bc5304ac5fbb2
                                                                                                    • Opcode Fuzzy Hash: 023bd70d57e119b5a022abf3683fe3edd544c61e1c48c3a90fbb7993d60c8ad1
                                                                                                    • Instruction Fuzzy Hash: B9B10570908A198FDB94EFA8C894BEDBBF1FF59310F5451AAD009E7291CB34A985CB50
                                                                                                    Function 00007FF7C0CFD9B0 Relevance: .3, Instructions: 288COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: deffe2570c7c239415b9d2de25858a2c4708042fb87e93828a6324e0748f9483
                                                                                                    • Instruction ID: d14c5562663020f7d1870e2bde61ff4b072cfee39d3949665a50f802b0886bff
                                                                                                    • Opcode Fuzzy Hash: deffe2570c7c239415b9d2de25858a2c4708042fb87e93828a6324e0748f9483
                                                                                                    • Instruction Fuzzy Hash: 87715B71A0CB494FEB58AF2CA8552B5B7E1EF96320B4002BED549C3356DE25F80383D2
                                                                                                    Function 00007FF7C0CCC5D1 Relevance: .3, Instructions: 287COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4924b82fe56dfc99b89780155edf434fe9f5cf3ef5208ca647e3a8e5fd4e03d5
                                                                                                    • Instruction ID: 3d1d2f56a513fcfb3caf952787e1de5b9fc633ded02842b67c9bc3291c8f81c8
                                                                                                    • Opcode Fuzzy Hash: 4924b82fe56dfc99b89780155edf434fe9f5cf3ef5208ca647e3a8e5fd4e03d5
                                                                                                    • Instruction Fuzzy Hash: 5781F730A0CA494FD799EF2CD8956B9B7E1FF59310B5005BEE04EC7296CF35A8428780
                                                                                                    Function 00007FF7C0CCA368 Relevance: .3, Instructions: 284COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f478926a56a8270027262dda9ded1e13068dac627862b0db5ef3ab1be96ed362
                                                                                                    • Instruction ID: 9922d5b6ea02da17532bcf67b3a132a98ef9280e042f024aaa9c7e1f00b1d6e0
                                                                                                    • Opcode Fuzzy Hash: f478926a56a8270027262dda9ded1e13068dac627862b0db5ef3ab1be96ed362
                                                                                                    • Instruction Fuzzy Hash: 77811130708A098FD6A4EF1C84947B977D5FF58321B9405BAD64EC73A6CF28EC458791
                                                                                                    Function 00007FF7C0CD1EA8 Relevance: .3, Instructions: 282COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e665eed161bad3020682dfbe125b708c64f1c7f6cfd9158c9345fea2a716fdb0
                                                                                                    • Instruction ID: 3bcdd3ad2b89aeaa952b62450ca06351bedac700d859ab5ef8fde7c0ba93bb39
                                                                                                    • Opcode Fuzzy Hash: e665eed161bad3020682dfbe125b708c64f1c7f6cfd9158c9345fea2a716fdb0
                                                                                                    • Instruction Fuzzy Hash: BA81E23060CB498FD769EF28D884AB1B7E1FF59324714067ED59EC32A2DA25F842C791
                                                                                                    Function 00007FF7C0CCB179 Relevance: .3, Instructions: 272COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4fc1d9dfed1ea18b83a06014ae5f11f57162fee36a3ef6281f2e38ce08c00b2c
                                                                                                    • Instruction ID: 507ae75f5d33a31d3c7fd10e9bbb8bb1d1f233d95ab61c7426954f481fa89807
                                                                                                    • Opcode Fuzzy Hash: 4fc1d9dfed1ea18b83a06014ae5f11f57162fee36a3ef6281f2e38ce08c00b2c
                                                                                                    • Instruction Fuzzy Hash: AE71C3307089494FE7A4EB2CE459AB9B7D0FF49324B5410FAE48EC73A2DA14EC428791
                                                                                                    Function 00007FF7C0CCB170 Relevance: .3, Instructions: 269COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 608878b010151b3f33e0eec6f9db02c82b4aef00635c2e33ce92aeb9a8775630
                                                                                                    • Instruction ID: 809471e3e6a6740b2d2fad9c227c942fc4c5216b886b723cbc713617954a2a2a
                                                                                                    • Opcode Fuzzy Hash: 608878b010151b3f33e0eec6f9db02c82b4aef00635c2e33ce92aeb9a8775630
                                                                                                    • Instruction Fuzzy Hash: 01719131B1C9498FDB68EB2DE4556B5B3E0FF59325B5042BAD04EC3292DF25F8028780
                                                                                                    Function 00007FF7C0CC33D7 Relevance: .3, Instructions: 267COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 08f6739be87d5c6072aab5b7acf3d8d994d0de1cbe097f530039c9cdb67c306a
                                                                                                    • Instruction ID: 2e17f7d7a07eecb2ff1961026271a155e721269edc39f6864ba24b540f937ff7
                                                                                                    • Opcode Fuzzy Hash: 08f6739be87d5c6072aab5b7acf3d8d994d0de1cbe097f530039c9cdb67c306a
                                                                                                    • Instruction Fuzzy Hash: 6891E171D0C64D4FE764EF68E8452E8FBA0FF46320F8412BAD16DD72D2CB2865068B90
                                                                                                    Function 00007FF7C0CDAFD8 Relevance: .3, Instructions: 262COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2b65ba169d48ee613f3d88117b010678f98dc4554367b8248cc782870b167b27
                                                                                                    • Instruction ID: ab954b530a424f456d0b2859cb932d8ab6505d8b154e5aefb26c8f074b6f0920
                                                                                                    • Opcode Fuzzy Hash: 2b65ba169d48ee613f3d88117b010678f98dc4554367b8248cc782870b167b27
                                                                                                    • Instruction Fuzzy Hash: FC71E03060DA498FE768AB2CD8097B5B7D1FF59321F5046BAD09EC3292CF24B8568781
                                                                                                    Function 00007FF7C0EA99C9 Relevance: .3, Instructions: 258COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f6347bf0655853d97e606e14fb29ac5dd4afa7fa0956349650d1aac357bea162
                                                                                                    • Instruction ID: 4fd2b380709a27223daa27cc7157bb42e4ac279aba65b6284ad2a0f630233e98
                                                                                                    • Opcode Fuzzy Hash: f6347bf0655853d97e606e14fb29ac5dd4afa7fa0956349650d1aac357bea162
                                                                                                    • Instruction Fuzzy Hash: 54A12A70908A5D8FDB94EF68C890BE9BBB1FF59310F5041AAD04DE7292DF386985CB50
                                                                                                    Function 00007FF7C0CCA310 Relevance: .2, Instructions: 249COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3bb2550185a4dc3655ac7d9261989d44bca235aa581eba589e469a5673a3b661
                                                                                                    • Instruction ID: d1b9299fe434fd51059f0eab7cd667f2c3b7c159d5215cf1a2fb608a8877966e
                                                                                                    • Opcode Fuzzy Hash: 3bb2550185a4dc3655ac7d9261989d44bca235aa581eba589e469a5673a3b661
                                                                                                    • Instruction Fuzzy Hash: 63716C70A18B498FE768EF28D4596BAB7D1EF98311F50453ED48AC3391DF34A8428792
                                                                                                    Function 00007FF7C0CDA948 Relevance: .2, Instructions: 246COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 241497e2144d1256e852f2ead1e72297d84a3365b1398ae11fec14165105344c
                                                                                                    • Instruction ID: 199bb73779525e5e26e07de5b0c23d2ea9152ce8bef21e6dd28f3b60f190f491
                                                                                                    • Opcode Fuzzy Hash: 241497e2144d1256e852f2ead1e72297d84a3365b1398ae11fec14165105344c
                                                                                                    • Instruction Fuzzy Hash: 09712030A08B858BD769EF28C4456F6B7E0EF55320F9406BEC15AC7292DF28B946D781
                                                                                                    Function 00007FF7C0CCB1F8 Relevance: .2, Instructions: 243COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6320d90763cd1320c10762af698c694baa6507f87f4cc052a8e2f7abfbf468bd
                                                                                                    • Instruction ID: 8f7edc728ff7c218f45cf50be10ee54c964554a3b75ede3bd28091e2ff8abe00
                                                                                                    • Opcode Fuzzy Hash: 6320d90763cd1320c10762af698c694baa6507f87f4cc052a8e2f7abfbf468bd
                                                                                                    • Instruction Fuzzy Hash: 9A71F730A1CB4A4FE779EB2884A85B9B7D1FF59720B54057ED18EC33A1DF28B8458391
                                                                                                    Function 00007FF7C0CDAED8 Relevance: .2, Instructions: 239COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f1daecdf7e1c3420814564b90d992dd9b8f5ec5356f730935f5552a454e73653
                                                                                                    • Instruction ID: 285a2264d38123b45366d5b6705ef4a6fbb16ac28dd57ef69b73ede21b9dea68
                                                                                                    • Opcode Fuzzy Hash: f1daecdf7e1c3420814564b90d992dd9b8f5ec5356f730935f5552a454e73653
                                                                                                    • Instruction Fuzzy Hash: A5712930A18A4ACFDB98EF1CC495BA9B7E1FF68355B540069E50AD33A1CB34E851CB90
                                                                                                    Function 00007FF7C0CCA308 Relevance: .2, Instructions: 235COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d50f44ce334c30531d0a6427323a5bee1a14231e2d171e64421b84909a0df017
                                                                                                    • Instruction ID: e0285b4ac91636cabe74eb3c1a29819a20e8fdbb716e109433f432828d3c6456
                                                                                                    • Opcode Fuzzy Hash: d50f44ce334c30531d0a6427323a5bee1a14231e2d171e64421b84909a0df017
                                                                                                    • Instruction Fuzzy Hash: 7B71E270218E4A9FD764EB2CC4587A6F7E1FF99361F440A69D04AC3292CF34F8528781
                                                                                                    Function 00007FF7C0CCA6FD Relevance: .2, Instructions: 235COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e8401c147c9f710fc92b44354c8085746dad79f6d7430959a59af57976b8721d
                                                                                                    • Instruction ID: 4cce2e4a2c0e36fad164d4dc77f3118f595db1f070ac22a569dd2a28334f2ce0
                                                                                                    • Opcode Fuzzy Hash: e8401c147c9f710fc92b44354c8085746dad79f6d7430959a59af57976b8721d
                                                                                                    • Instruction Fuzzy Hash: 2F613821A0CA860FE315B77D586A2F9BBD1EF99374B4841FED08DC72A3DD1878468385
                                                                                                    Function 00007FF7C0D1651D Relevance: .2, Instructions: 231COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0280e2fd60c830f44592d7dcb4f4b6e49abc0f28827fe14640c49e50d3a26844
                                                                                                    • Instruction ID: d848337829463376c5eac790723f44873bc8724b91363e899be72c29c8d3f8df
                                                                                                    • Opcode Fuzzy Hash: 0280e2fd60c830f44592d7dcb4f4b6e49abc0f28827fe14640c49e50d3a26844
                                                                                                    • Instruction Fuzzy Hash: 7C510930A1CB594FE754AA2D5815679B7D5EF89730F5402BEE48EC3392DF28B80283D1
                                                                                                    Function 00007FF7C0CCA67D Relevance: .2, Instructions: 229COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7192697971663ece4af2e515aa999b7690ebfd3b8591518a710bc827b355a608
                                                                                                    • Instruction ID: 246c47f492a697657a3417fd0d5aa643177eb18a477bef992a6127bf3ab03745
                                                                                                    • Opcode Fuzzy Hash: 7192697971663ece4af2e515aa999b7690ebfd3b8591518a710bc827b355a608
                                                                                                    • Instruction Fuzzy Hash: 47612831A0DA860FE315BB7C58692F5BBD1EF5A278B4841FED08DC7293DE1878468385
                                                                                                    Function 00007FF7C0CC7C35 Relevance: .2, Instructions: 227COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5f6dc84d91ca49a42c8454cf4c0bf47c283fc9d510311bf6cc8365e97ba620a2
                                                                                                    • Instruction ID: 5a576a1656c482b493f2b3f09c423306bb2fe037689b33b314851d48f45ac4f8
                                                                                                    • Opcode Fuzzy Hash: 5f6dc84d91ca49a42c8454cf4c0bf47c283fc9d510311bf6cc8365e97ba620a2
                                                                                                    • Instruction Fuzzy Hash: 3F71D270C4D6898FDB25AB64D8556F8FBB0FF06320F4402BAD04AD7292CB2D2656C791
                                                                                                    Function 00007FF7C0EA0975 Relevance: .2, Instructions: 223COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fd72f8f448093bbc50a74764fcc1054f6d6fa1c3a0f1bc38496ec7d49b058c21
                                                                                                    • Instruction ID: 0076daa8873040271279bce327f9b7d798e8c4243b918f016f39ac362ed86b56
                                                                                                    • Opcode Fuzzy Hash: fd72f8f448093bbc50a74764fcc1054f6d6fa1c3a0f1bc38496ec7d49b058c21
                                                                                                    • Instruction Fuzzy Hash: 04516B7098D6464FE755BB2858566F6BBE0EF89320B4401BBD40EC7693DE2CB85383A1
                                                                                                    Function 00007FF7C0CCAD20 Relevance: .2, Instructions: 223COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e8b9eabac4230b9f24ac0f6f8beaf2d526a3f687bfee01b8597fe1a84055936c
                                                                                                    • Instruction ID: 8059c8f7519da7836831a1e66c8b9a23f9fa3ef64fdda697e330f2b690a09851
                                                                                                    • Opcode Fuzzy Hash: e8b9eabac4230b9f24ac0f6f8beaf2d526a3f687bfee01b8597fe1a84055936c
                                                                                                    • Instruction Fuzzy Hash: F051B561A0E7C50FD3675B3488642A1BFB0EF5329575D41EBC089CB5E3DA1CA80AC7A2
                                                                                                    Function 00007FF7C0EA3198 Relevance: .2, Instructions: 222COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 504cfe05548db2844fb794dccca47194007aab26dbda127c1b7d3984fd646fcb
                                                                                                    • Instruction ID: 99c9b7bf7bb02725699cce5e7b8f9d3689709a3ddcb7f96c6618ae637e86029f
                                                                                                    • Opcode Fuzzy Hash: 504cfe05548db2844fb794dccca47194007aab26dbda127c1b7d3984fd646fcb
                                                                                                    • Instruction Fuzzy Hash: 5551C471A4CA064FE7A4BE3844942B5FAD2EF9D330B90463ED45EC73C2DF28B85542A1
                                                                                                    Function 00007FF7C0D0A0B0 Relevance: .2, Instructions: 218COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fae2633ef9e388865f5e83f5949777a9db10ad7d6c3325ac0c00a037ed89f264
                                                                                                    • Instruction ID: 4b26c4b3d3c7ce72d9f86aec7bc8be7db27b019fbea99c21c7080b2183f0bed5
                                                                                                    • Opcode Fuzzy Hash: fae2633ef9e388865f5e83f5949777a9db10ad7d6c3325ac0c00a037ed89f264
                                                                                                    • Instruction Fuzzy Hash: 23612830A0CA864FE355AB7D54692B5BBD1FF9A364B4805FED08DC73A3DE186C468381
                                                                                                    Function 00007FF7C0CC0568 Relevance: .2, Instructions: 216COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9497d2bfd442a60584ac7563ba1f42bc2ccc0befb714d45d4da66a66afe11a8e
                                                                                                    • Instruction ID: a83235a97a96cc7edb3820972f3554f5d203961e51e5d942b603a237206dc629
                                                                                                    • Opcode Fuzzy Hash: 9497d2bfd442a60584ac7563ba1f42bc2ccc0befb714d45d4da66a66afe11a8e
                                                                                                    • Instruction Fuzzy Hash: 4E7143709096598FDF48EF68D4946FDBBB1EF59325F50013EE44AE7292CB38A841CB90
                                                                                                    Function 00007FF7C0CC9B88 Relevance: .2, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a8614fd8e516739cd619d03ffd0bde0d3f504b67fde2d059bafc15c3d16049b3
                                                                                                    • Instruction ID: 32a576e32567739e43cf36ea3c51ccca77e83d92032788546b1096d0a70c4f05
                                                                                                    • Opcode Fuzzy Hash: a8614fd8e516739cd619d03ffd0bde0d3f504b67fde2d059bafc15c3d16049b3
                                                                                                    • Instruction Fuzzy Hash: E5513B61A0CA864FD365AB38C4656F5BBE1FF9631074845FAC08EC7397DE28F8068391
                                                                                                    Function 00007FF7C0CD3CBD Relevance: .2, Instructions: 212COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6522f2742c09af8f8726e847fd6988c23d7ec87a1ba898bbcd460fb7fef19b9b
                                                                                                    • Instruction ID: dc813d0a261b570c8a3d1109facc078ae1bf007111262b8a7fbd65a4717499fe
                                                                                                    • Opcode Fuzzy Hash: 6522f2742c09af8f8726e847fd6988c23d7ec87a1ba898bbcd460fb7fef19b9b
                                                                                                    • Instruction Fuzzy Hash: 8451D73170CA0A4FEBA4EB1CA4556B5B7D1EF95331B44027BD84EC3296DE25F8528780
                                                                                                    Function 00007FF7C0CD1EE0 Relevance: .2, Instructions: 210COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bd9c6d31bee8391d5caee733404680efe397481cf2f46a4f6ede39366a9a872f
                                                                                                    • Instruction ID: b8ad60633035d4fe4e3f09910bd47d864a4211c25def85fbbd41fda28aec2b0f
                                                                                                    • Opcode Fuzzy Hash: bd9c6d31bee8391d5caee733404680efe397481cf2f46a4f6ede39366a9a872f
                                                                                                    • Instruction Fuzzy Hash: AF51C330618B094FD768AF1CD884AA1B3E0FF99324754067EE55EC3296DB35F89287D1
                                                                                                    Function 00007FF7C0CC7F12 Relevance: .2, Instructions: 206COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5026c9b8aed5de3878b0412f1e51126419e8f7d46c7d60c544fe77d70c6458ea
                                                                                                    • Instruction ID: 2aad3708fcfe45837593e60502c183f8d178a1eb18049ced723d2721ba7db3f4
                                                                                                    • Opcode Fuzzy Hash: 5026c9b8aed5de3878b0412f1e51126419e8f7d46c7d60c544fe77d70c6458ea
                                                                                                    • Instruction Fuzzy Hash: AE6190709096499FDB55EBA8C455AEDBBF1FF4A310F1401AED049D7292CB386846CB50
                                                                                                    Function 00007FF7C0CC4320 Relevance: .2, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 89fd4daaffacca5f97ecda095725362326425afa8f674326917379bd7b72f210
                                                                                                    • Instruction ID: 3818e4c3ade079ac1dd90c40ea2483d84de3ccd096e264105fa6a64dfc7bb2b8
                                                                                                    • Opcode Fuzzy Hash: 89fd4daaffacca5f97ecda095725362326425afa8f674326917379bd7b72f210
                                                                                                    • Instruction Fuzzy Hash: FB512A6620D9858FD715AB3DF8013E97B60FFC233570885B7D249CA283CA24B859C7D4
                                                                                                    Function 00007FF7C0CCD0E8 Relevance: .2, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5a92692d51c0c7babe64902fbc4f12e598392fac30eb4085300d91c8964a7557
                                                                                                    • Instruction ID: ae2e9a94b1417595148920854199ca7280629013ec382eaa974aa881c37eb1b8
                                                                                                    • Opcode Fuzzy Hash: 5a92692d51c0c7babe64902fbc4f12e598392fac30eb4085300d91c8964a7557
                                                                                                    • Instruction Fuzzy Hash: 7751E130618A0A8FD768AF58D884AA1B3E0FF99324B54467DD54EC3262DB35F89387D0
                                                                                                    Function 00007FF7C0CC1CB5 Relevance: .2, Instructions: 201COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c494bbb3f14982316733058d19e581e057f46aae5c76f1150ef50d3df9eb1d8e
                                                                                                    • Instruction ID: 626f90eaec15055253676709dd2f32f12349037d03eb1bf22c29de8f1dc1000b
                                                                                                    • Opcode Fuzzy Hash: c494bbb3f14982316733058d19e581e057f46aae5c76f1150ef50d3df9eb1d8e
                                                                                                    • Instruction Fuzzy Hash: CC51617188E2C11FD3175B30AC174E67FA89F03625B1A41E7E459CA993CA1D2697C3B2
                                                                                                    Function 00007FF7C0EA34D6 Relevance: .2, Instructions: 200COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d72303524ad02f144033d4181cb4f934542161aa345776fadff00f382888d2c8
                                                                                                    • Instruction ID: cebb5420073db84c8e1ede51358768f055f539b17659e6d6df8b9678dd7d79f9
                                                                                                    • Opcode Fuzzy Hash: d72303524ad02f144033d4181cb4f934542161aa345776fadff00f382888d2c8
                                                                                                    • Instruction Fuzzy Hash: E471C370D5861D8FDB98EF68C8957E8B7B1FB59310F5011A9E04EE3291CB74A984CF50
                                                                                                    Function 00007FF7C0CC9A88 Relevance: .2, Instructions: 191COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f99641902d46612b0341ac5e89ae6c7f2543aa7e10c4a1fb500291371edc3c74
                                                                                                    • Instruction ID: 7a866fcae9be27b6676fbb04c71e9bad5d7fa0953b56d4912cfc6f78791eefbe
                                                                                                    • Opcode Fuzzy Hash: f99641902d46612b0341ac5e89ae6c7f2543aa7e10c4a1fb500291371edc3c74
                                                                                                    • Instruction Fuzzy Hash: 18512BA2E0C6460FD316B77CACA23E577D4EF6136870842B7D18DCA293EE18B44543D9
                                                                                                    Function 00007FF7C0CD57D6 Relevance: .2, Instructions: 191COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50bc05dfa07a94966030f6432330d8f543a9f1b3b8d3fec36bdfa295fb556c6d
                                                                                                    • Instruction ID: c532eb42d9f957aaf6f1d960e7d69fdf7a5ce232fe53205ce55cd7e7be66518c
                                                                                                    • Opcode Fuzzy Hash: 50bc05dfa07a94966030f6432330d8f543a9f1b3b8d3fec36bdfa295fb556c6d
                                                                                                    • Instruction Fuzzy Hash: 94517070A0CB498FE768EF28C4596BAB7E1FF95311F44452ED489C73A1DF34A8418791
                                                                                                    Function 00007FF7C0CCC750 Relevance: .2, Instructions: 188COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 716c9b6179d64a1d1a1ebbcc08d954f0006ab90b86986089d231a4c0d40b067e
                                                                                                    • Instruction ID: ea6ea707a1fa81b90fd9656611622b890d141cc9c413f6604153d3cb8d0523f5
                                                                                                    • Opcode Fuzzy Hash: 716c9b6179d64a1d1a1ebbcc08d954f0006ab90b86986089d231a4c0d40b067e
                                                                                                    • Instruction Fuzzy Hash: B7510E30A18E1D8FDF98EF1CD495AAAB3E1FF98354B50456AE41ED7285DF34E8428780
                                                                                                    Function 00007FF7C0CD07F5 Relevance: .2, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 012812e30b814aa8f11efff007716feb8c31f7f291c9fb67ecce839750993c75
                                                                                                    • Instruction ID: 3c2f26d4a4b23e84b18a24c9439613a55ad0d490d14fd5ddce9be17bbd0a6736
                                                                                                    • Opcode Fuzzy Hash: 012812e30b814aa8f11efff007716feb8c31f7f291c9fb67ecce839750993c75
                                                                                                    • Instruction Fuzzy Hash: 1551F63061DA098FDB58EF3894596A8FBE1FF59325B4401BEE44DC3292DF25B846C781
                                                                                                    Function 00007FF7C0EA751E Relevance: .2, Instructions: 184COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4051cae1c63060d0a8f2a7f0100d48ea31de62608a14d20e08fb69b893be1a8b
                                                                                                    • Instruction ID: 9f487b384c3223858491416f1c94c9b47d47bfe31f50688ab57155112b46844d
                                                                                                    • Opcode Fuzzy Hash: 4051cae1c63060d0a8f2a7f0100d48ea31de62608a14d20e08fb69b893be1a8b
                                                                                                    • Instruction Fuzzy Hash: F851093160CB824FD356EB3DD8512A5BBE0EF49324B5045BAD08AC77D3CB29B952C7A1
                                                                                                    Function 00007FF7C0CCA81D Relevance: .2, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 00fffd6d4a2691dc11c42049077ae9b1881b0bf0093b44f2b5e1c1d1feb7fae9
                                                                                                    • Instruction ID: 84cf1e0ceceb371800e7710975e70cb8e3f3b324e839e667bbcf071562c9c50d
                                                                                                    • Opcode Fuzzy Hash: 00fffd6d4a2691dc11c42049077ae9b1881b0bf0093b44f2b5e1c1d1feb7fae9
                                                                                                    • Instruction Fuzzy Hash: DB413B22A1CB2647D3157B7CA8422F9B7C4EF943B5B44853BD28EC6253CF18749683D5
                                                                                                    Function 00007FF7C0CDAB08 Relevance: .2, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 45680350cc56a7cd49f8845e5b3f13496b32d46989ffc840d1b08832eb64e0fc
                                                                                                    • Instruction ID: 2a00bd62728637cea14e078d8612fde4ca9878020a800b473754f950a5611ced
                                                                                                    • Opcode Fuzzy Hash: 45680350cc56a7cd49f8845e5b3f13496b32d46989ffc840d1b08832eb64e0fc
                                                                                                    • Instruction Fuzzy Hash: 3751E271A18A194FE764BB6CA4457F8B7D1EF59720F4441B6E00DCB383DE18784247D5
                                                                                                    Function 00007FF7C0CDAA2D Relevance: .2, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c20678a78dc5cab652827e8b5dbf2e4c0d56fc32d8ad791bf56274752555b88e
                                                                                                    • Instruction ID: 65f2fdb24bc744dc0074fb5cc0736ae4f1421f1fac28e2889c72bfbc812e58f6
                                                                                                    • Opcode Fuzzy Hash: c20678a78dc5cab652827e8b5dbf2e4c0d56fc32d8ad791bf56274752555b88e
                                                                                                    • Instruction Fuzzy Hash: E5413725B1CA464FE358BB3D84452B9B7D2EF85235B5482BED48AC72D2DE28B4478390
                                                                                                    Function 00007FF7C0CDAB18 Relevance: .2, Instructions: 179COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 81b0c7f8841347be43074e8e3fc809fc65b8af72cdd0d23a812c851e141dfbda
                                                                                                    • Instruction ID: 691f0233168f44a91fc42058787107e7c18aa303ce09b7fa697b892356dd9545
                                                                                                    • Opcode Fuzzy Hash: 81b0c7f8841347be43074e8e3fc809fc65b8af72cdd0d23a812c851e141dfbda
                                                                                                    • Instruction Fuzzy Hash: 6651F22161CA564FE364AB3894157F5B7D1EF44320F8445F9D48EC7296DE2DB88683A0
                                                                                                    Function 00007FF7C0CC7A22 Relevance: .2, Instructions: 178COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: de4f5335ad35126284e8a503982552546e206396b8a56ed422242106830960c9
                                                                                                    • Instruction ID: c2f24ea3b962e2437a13dc6141e1e5c0436125f74a9988c3cb82414614f1c464
                                                                                                    • Opcode Fuzzy Hash: de4f5335ad35126284e8a503982552546e206396b8a56ed422242106830960c9
                                                                                                    • Instruction Fuzzy Hash: 4C51BE30D0851E8BEB64EE24D8557FCF7A0EF45320F9012B9C14ED3382DF282A668B90
                                                                                                    Function 00007FF7C0CC7C85 Relevance: .2, Instructions: 178COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d37c55dff935f99000e0601e2a32b7da77b0bde927f1c715ffbaeee075a79854
                                                                                                    • Instruction ID: 01a80fa234b2a2dfaf03184fb51e1c613286dcfd72dde5c165ec1b0ee667df5c
                                                                                                    • Opcode Fuzzy Hash: d37c55dff935f99000e0601e2a32b7da77b0bde927f1c715ffbaeee075a79854
                                                                                                    • Instruction Fuzzy Hash: 7C51067094D6898FDB16DBA888556E9BFF0FF06320F4402EED08AD7692CB2C2556C791
                                                                                                    Function 00007FF7C0CC06B0 Relevance: .2, Instructions: 178COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3aa9df80f1dcd7fe1ee8974a07805f6178b069e657301c57cc38160243288768
                                                                                                    • Instruction ID: 8fc56cb8d47ab845d2bfe0343b0bad9ecbfd9ee10681bcf0fc729fb466c6355b
                                                                                                    • Opcode Fuzzy Hash: 3aa9df80f1dcd7fe1ee8974a07805f6178b069e657301c57cc38160243288768
                                                                                                    • Instruction Fuzzy Hash: B9511770908A1D8FDB94EF68D485BEDBBE0FF59321F50116AE019E7292CB74A841CB90
                                                                                                    Function 00007FF7C0CD8138 Relevance: .2, Instructions: 175COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 34dcb6d6e7e7d424ab105fed871da7ced21a2aaefba94dedc8dd707aa274e63a
                                                                                                    • Instruction ID: 2a46b008d7d154eb86dda4506ebc3af4093acd32c262774a395b9450cf0280fb
                                                                                                    • Opcode Fuzzy Hash: 34dcb6d6e7e7d424ab105fed871da7ced21a2aaefba94dedc8dd707aa274e63a
                                                                                                    • Instruction Fuzzy Hash: FD51C26150EBC54FC357973888652957FB0EF53321F4A45EBC089CB1E3EA28AC09C7A2
                                                                                                    Function 00007FF7C0CD2805 Relevance: .2, Instructions: 174COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c51f524349fef4a2c52b4e96bccca8092e0fa883048107e5e84b093fd684b02a
                                                                                                    • Instruction ID: b6b5e44ecf182d4d766aa2b5805d3a724ba6ebf5683c870ff1a355fce4f25240
                                                                                                    • Opcode Fuzzy Hash: c51f524349fef4a2c52b4e96bccca8092e0fa883048107e5e84b093fd684b02a
                                                                                                    • Instruction Fuzzy Hash: 0351F572A0864A5FE356AB3CD8A13E9BBA0FF51365F1441BBC149C7193DF2434068BA0
                                                                                                    Function 00007FF7C0CD78C3 Relevance: .2, Instructions: 172COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b9480ff43132825a6cdfadd30f9a11666fb69f778fef855e3d26259ce77e3224
                                                                                                    • Instruction ID: 618874fd4db5221eff615880baf9de1f86e4fe0afaf75987b4f4a2cd09653273
                                                                                                    • Opcode Fuzzy Hash: b9480ff43132825a6cdfadd30f9a11666fb69f778fef855e3d26259ce77e3224
                                                                                                    • Instruction Fuzzy Hash: 7751F63190DB858FD775EA18C8A46A9BBE1FF81320F8407BDC14ECB292E6306916C3D1
                                                                                                    Function 00007FF7C0CC731E Relevance: .2, Instructions: 171COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a7ab3191ee3c4d5346eecff5c993379f1c82e5ba0b41245b159df4f32b713387
                                                                                                    • Instruction ID: 7d592219d0b0a5505dfbace2b69c3e7c9fe801c7daccc973e20a4625a8caa68c
                                                                                                    • Opcode Fuzzy Hash: a7ab3191ee3c4d5346eecff5c993379f1c82e5ba0b41245b159df4f32b713387
                                                                                                    • Instruction Fuzzy Hash: D0614A709096598FDB64EFA8C8547EDBBB0EF55320F9012BAD14AE3292CB382955CB50
                                                                                                    Function 00007FF7C0CD0818 Relevance: .2, Instructions: 171COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7b3d9e6718e09ec8698a3753f0ee722e19acdedf1dd99b2d28f0c218426ed5b2
                                                                                                    • Instruction ID: 342974e044a27e1605b6482b477b57f1cf499de1ba2be98ea64ba3f156da3e81
                                                                                                    • Opcode Fuzzy Hash: 7b3d9e6718e09ec8698a3753f0ee722e19acdedf1dd99b2d28f0c218426ed5b2
                                                                                                    • Instruction Fuzzy Hash: 2E41F821A1CB590BD264BA3D64463FA77C5EF85730F54027EE48DC7393CE18784682D6
                                                                                                    Function 00007FF7C0CD0820 Relevance: .2, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 17d6b9ee95a771e0d48f1a1f7aa98098d642ad03606937c5a1624ea8344c80d2
                                                                                                    • Instruction ID: 699592394d826a74c9659ab197f57313be4f8e57748009c5bfd725284446d700
                                                                                                    • Opcode Fuzzy Hash: 17d6b9ee95a771e0d48f1a1f7aa98098d642ad03606937c5a1624ea8344c80d2
                                                                                                    • Instruction Fuzzy Hash: D441D520A1CB590BE264BA7D64463BA77C5EF95730F54027EE48DC7393CE18B84282D6
                                                                                                    Function 00007FF7C0EA8BCE Relevance: .2, Instructions: 167COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e23a572b964e30c8b20e584a28be59a5be7b43d32910a2a513a028ea42bb9469
                                                                                                    • Instruction ID: d205e1e35acf075c172aacb64ca613ec9edd2de2248802eefc0755fe9182f507
                                                                                                    • Opcode Fuzzy Hash: e23a572b964e30c8b20e584a28be59a5be7b43d32910a2a513a028ea42bb9469
                                                                                                    • Instruction Fuzzy Hash: A151C530645B468FD729EF28C0856A2BBE1FF88324B50457DC08BC7A56CB78F452CB91
                                                                                                    Function 00007FF7C0CD0828 Relevance: .2, Instructions: 165COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9a684ef5a058396d72c74f9211341566be4eef3975afbbf76d970efaa56a4f4b
                                                                                                    • Instruction ID: b6820b7986595120cd586add247c7f3377b2d5d04b73d9ab4eeb7ea79902fc67
                                                                                                    • Opcode Fuzzy Hash: 9a684ef5a058396d72c74f9211341566be4eef3975afbbf76d970efaa56a4f4b
                                                                                                    • Instruction Fuzzy Hash: 7741E620A1CB590BE264BA3C54463BA77C5EF85730F54027EE48EC7393CE18BC4282D2
                                                                                                    Function 00007FF7C0CCB628 Relevance: .2, Instructions: 162COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 46605e37de6a42aebb1f7e70eaeec5974da9074e9b4e71df794eaee31f779eba
                                                                                                    • Instruction ID: 03270b8daf9f669535a6abaf558b74a16f88fd6231cb4243b883b135e745f14a
                                                                                                    • Opcode Fuzzy Hash: 46605e37de6a42aebb1f7e70eaeec5974da9074e9b4e71df794eaee31f779eba
                                                                                                    • Instruction Fuzzy Hash: B651072290C7924FD742AB7898661E47BF19F5237074981F7C489CF1A3EA1C785AC3A6
                                                                                                    Function 00007FF7C0D0E110 Relevance: .2, Instructions: 161COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2275e3af29d9d1c8a55f73feed7c6189c5b191008dab004f3e7ecc3fc0b3e928
                                                                                                    • Instruction ID: 581405dd379112054061f32ab0af2d8da3e4f7d14a98a19dc4d291704515b543
                                                                                                    • Opcode Fuzzy Hash: 2275e3af29d9d1c8a55f73feed7c6189c5b191008dab004f3e7ecc3fc0b3e928
                                                                                                    • Instruction Fuzzy Hash: AA410431A08A064FD769FF38C8545A9B7E1FF95314B4446BAD08EC72A2DB28B841C7D1
                                                                                                    Function 00007FF7C0CCCBF3 Relevance: .2, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 410d932fadb5adcb51db6f6a999fdd63b171ed8ca717810b251dc5f5908c6b0c
                                                                                                    • Instruction ID: 3250c22971d7f4c59a5e9156fcc01e134904304eba36551a4303cee5602079c5
                                                                                                    • Opcode Fuzzy Hash: 410d932fadb5adcb51db6f6a999fdd63b171ed8ca717810b251dc5f5908c6b0c
                                                                                                    • Instruction Fuzzy Hash: 6441FC31B0CA454FE355EB7C84592B87BE1EF99350B5445BED04EC73D7DE28A8068741
                                                                                                    Function 00007FF7C0CD15B5 Relevance: .2, Instructions: 157COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: de86ae7faef312ef40aea1095a2c8d82aa237df134ea56426ef70bd44d2d4700
                                                                                                    • Instruction ID: 6a46e2d15e3b35a2095949bc9f23266ee58ea1ce32e3b4703abe00bae260438b
                                                                                                    • Opcode Fuzzy Hash: de86ae7faef312ef40aea1095a2c8d82aa237df134ea56426ef70bd44d2d4700
                                                                                                    • Instruction Fuzzy Hash: E441D03171C9088FE758FA6DA84967477C1EB59320B4501BAE54EC33A3DEA0BC428795
                                                                                                    Function 00007FF7C0CC78BA Relevance: .2, Instructions: 153COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 377d4fd3cd4776cbaa38470d7df3299d51c6bf88fc4ddd56103fcc6ed86a4290
                                                                                                    • Instruction ID: 6150c99ffed886a48d95effe0f96988564dfd9ecde2b12db6808d32baa1d407d
                                                                                                    • Opcode Fuzzy Hash: 377d4fd3cd4776cbaa38470d7df3299d51c6bf88fc4ddd56103fcc6ed86a4290
                                                                                                    • Instruction Fuzzy Hash: 9B51D17084E6894FD3569B7888657E9BFF0EF46220F0801EAD089D72A2CA7C5997CB51
                                                                                                    Function 00007FF7C0CC0695 Relevance: .2, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8c3a8e60e778707e27b3f28d36749d8d1b942bea5dd34b94ec169888c4ec0b88
                                                                                                    • Instruction ID: 02175e8c9e642bd0d4dc6cef03059b2d417da6c7fd84a775827f8def3a31c849
                                                                                                    • Opcode Fuzzy Hash: 8c3a8e60e778707e27b3f28d36749d8d1b942bea5dd34b94ec169888c4ec0b88
                                                                                                    • Instruction Fuzzy Hash: BC510670908A1D8FEBA4EF68D4456FDB7A0EF59321F50117AE01DE7292CB35A8518B90
                                                                                                    Function 00007FF7C0CCA8F5 Relevance: .2, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 38c6c3bf626b4db72f6110fa6add2f18743a83e43200673a5beb16536b0edaf7
                                                                                                    • Instruction ID: 15e3f25865ba4ec111f58dfe21095a410e1bfbcbc4730cd00ac33c84ae695e7a
                                                                                                    • Opcode Fuzzy Hash: 38c6c3bf626b4db72f6110fa6add2f18743a83e43200673a5beb16536b0edaf7
                                                                                                    • Instruction Fuzzy Hash: 534126A0A0C54A5FD355A7BC98653EDBBE0FF493A0F0405BBD14ED7283DE2C24468791
                                                                                                    Function 00007FF7C0CCFC50 Relevance: .1, Instructions: 149COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 43cf392ffd006543ed2e971284966cd3ddd7a683afc7e0415585ec0e7d12559f
                                                                                                    • Instruction ID: 4863a19a584cf734eb2c681f138f34ec3a03654332281d037dfe8ab67472b8f4
                                                                                                    • Opcode Fuzzy Hash: 43cf392ffd006543ed2e971284966cd3ddd7a683afc7e0415585ec0e7d12559f
                                                                                                    • Instruction Fuzzy Hash: 324192217089194FE794EF2CE4147F9B7D1EF89321F8442BAE44DC7392DE5968468381
                                                                                                    Function 00007FF7C0CCA520 Relevance: .1, Instructions: 149COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 03a450601ad71fde7955b9a275932398168a026bd9824e586ef630accc9c0800
                                                                                                    • Instruction ID: 177eb4bbe54a763616d6c4dc5efe36869e96a147518dd685ccd1b5a215ff1ef5
                                                                                                    • Opcode Fuzzy Hash: 03a450601ad71fde7955b9a275932398168a026bd9824e586ef630accc9c0800
                                                                                                    • Instruction Fuzzy Hash: 71415621A0CA010FD325BB6CBC925F5B7E0DF52374714427BD18AC7283DA18B45A83D9
                                                                                                    Function 00007FF7C0CCA76D Relevance: .1, Instructions: 149COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1c6ef220942201d24b80131213aeb8e5fea600312f5a3de81b5cf696c842869b
                                                                                                    • Instruction ID: 3ac8ad9b473b783e4efd5ad5ae548aff7255483980db389d28e94534b7947def
                                                                                                    • Opcode Fuzzy Hash: 1c6ef220942201d24b80131213aeb8e5fea600312f5a3de81b5cf696c842869b
                                                                                                    • Instruction Fuzzy Hash: 2041537291CB564BC314BB7CA8566E9BBD4EF94335B04823EE1CDCA293CE28704583D6
                                                                                                    Function 00007FF7C0CC3058 Relevance: .1, Instructions: 147COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d1b4d82f4296bd4082777ee5ec3610ba99e367d592110592de5fc2cdeecee9c2
                                                                                                    • Instruction ID: 95968a485a0bde4c95d2d68801ea45b6f3c48ea137bc054cbf2d8d080300a0fd
                                                                                                    • Opcode Fuzzy Hash: d1b4d82f4296bd4082777ee5ec3610ba99e367d592110592de5fc2cdeecee9c2
                                                                                                    • Instruction Fuzzy Hash: 9B51F870D186198FEB64EF98E4956FDFBB1FF48310F94117AD11AE7282CB3868418B90
                                                                                                    Function 00007FF7C0EA2F88 Relevance: .1, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5f3c4714a62a645e2c0cc55cdf422210e024dfa3c73f227f0a8625e41cfb5859
                                                                                                    • Instruction ID: 2b403dcba09b3e796b4997e7c03f5b25be01665e63f5b7a98b87712a7ac64fc8
                                                                                                    • Opcode Fuzzy Hash: 5f3c4714a62a645e2c0cc55cdf422210e024dfa3c73f227f0a8625e41cfb5859
                                                                                                    • Instruction Fuzzy Hash: A3412435B4C6464FE769AB28A450275BBE5EF8E364B5401BAC08AC73C6DF24BC5383D1
                                                                                                    Function 00007FF7C0CD0F43 Relevance: .1, Instructions: 144COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0e4be4926132b24a418736aa4b291b0cea89a2da92a043067df6180986f92968
                                                                                                    • Instruction ID: 3ce8dfe6b99b55490936303621b29c997039022906b4187319cb63f11a8a527f
                                                                                                    • Opcode Fuzzy Hash: 0e4be4926132b24a418736aa4b291b0cea89a2da92a043067df6180986f92968
                                                                                                    • Instruction Fuzzy Hash: 98414E70A1CA8A4FD7A4FB18C485BBAB3D2FF94310F544579D54AC3296DF24F8468781
                                                                                                    Function 00007FF7C0CC5199 Relevance: .1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1258d3969cb60a642028160bd1a2e5c5d0472c2aae0ab7a05cbbfc6840c90675
                                                                                                    • Instruction ID: d5a1545565619e224fd2284d68856eabfa43172b619a984a24810cb2e390383f
                                                                                                    • Opcode Fuzzy Hash: 1258d3969cb60a642028160bd1a2e5c5d0472c2aae0ab7a05cbbfc6840c90675
                                                                                                    • Instruction Fuzzy Hash: 5741D270D09A4C8FDB54EF68D8556ECBBB1FF0A310F4411BAD049E7292CB79A885C750
                                                                                                    Function 00007FF7C0CD116A Relevance: .1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 718abfd37e014afd214c21b8e2329853562bcfa2898a28ced576a6748e615ad4
                                                                                                    • Instruction ID: 72c4900ddf73ce69783c894f2eb51fdbaa675ab209e30ddc7fa31662110ea781
                                                                                                    • Opcode Fuzzy Hash: 718abfd37e014afd214c21b8e2329853562bcfa2898a28ced576a6748e615ad4
                                                                                                    • Instruction Fuzzy Hash: F041A270A08A4D8FDBA9EF28D4556BA77E1FF98351B50017AD50EC3382CF35A91287D1
                                                                                                    Function 00007FF7C0CD932B Relevance: .1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1ae0c9314a8f41bf7c7122412ec0f79611aae565c8e88de519dc014a61d0b66b
                                                                                                    • Instruction ID: 053802d5d49c9b028215219eec417058f3f330048fc77671c45c7d43ae171f04
                                                                                                    • Opcode Fuzzy Hash: 1ae0c9314a8f41bf7c7122412ec0f79611aae565c8e88de519dc014a61d0b66b
                                                                                                    • Instruction Fuzzy Hash: 4D510270D1861D8FDB98EFA8C4846EDBBB1FF59315F50002AE40AE7291CB35A985CB90
                                                                                                    Function 00007FF7C0CD0788 Relevance: .1, Instructions: 141COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: df1d1b2335bb872fbc153eaf07e9cd8d3ca20f13f44f8a3ce8761ed886fde99e
                                                                                                    • Instruction ID: 1dcb28703e4dc573c6f11f5e17dac1520f073fe667f5b55409755c75937fd91c
                                                                                                    • Opcode Fuzzy Hash: df1d1b2335bb872fbc153eaf07e9cd8d3ca20f13f44f8a3ce8761ed886fde99e
                                                                                                    • Instruction Fuzzy Hash: 43414D30A18A4E8FDBA8EF1894556BA77E1FF98711B50016EE50ED3395CF35A81287C1
                                                                                                    Function 00007FF7C0CC340D Relevance: .1, Instructions: 140COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a1b837ac14bd60008871933a7e3323cec82e84d1618e525e103463593054ce27
                                                                                                    • Instruction ID: 7d64723823dd392bfee9c1d4b46faf574c551459d152ccee89b92f0965c7934f
                                                                                                    • Opcode Fuzzy Hash: a1b837ac14bd60008871933a7e3323cec82e84d1618e525e103463593054ce27
                                                                                                    • Instruction Fuzzy Hash: A641B070D0D65D8FEB68EB68D8596ECFBE0FF15320F8402B9D159D32D2CB2824468B90
                                                                                                    Function 00007FF7C0EAE40D Relevance: .1, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b7655c68682a8dd0e18372a39b2a2148687ddaaede372eba2a59be796bead84c
                                                                                                    • Instruction ID: 35c502c6a33191a28e21d5f895119fbc940057da60f89ac7eea05a5f7fdfdc83
                                                                                                    • Opcode Fuzzy Hash: b7655c68682a8dd0e18372a39b2a2148687ddaaede372eba2a59be796bead84c
                                                                                                    • Instruction Fuzzy Hash: 28414870D486498FDB55EFA8D4953EDBBB0FF49320F5400AAD049E7391CB386895CB91
                                                                                                    Function 00007FF7C0EABB4D Relevance: .1, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b5ed292fb5e5513fba169753de9d46f6482d56fdc211a9ec53b73f03606e0d32
                                                                                                    • Instruction ID: 669422768f3d43fa395e70bb7c1e506cf7b616b41e6439f7afd19b790a1fde97
                                                                                                    • Opcode Fuzzy Hash: b5ed292fb5e5513fba169753de9d46f6482d56fdc211a9ec53b73f03606e0d32
                                                                                                    • Instruction Fuzzy Hash: FA31F631208E088FDB94FB2DD494BB5B7E1EF99311B4404A9D04EC76A2CE25FC82C750
                                                                                                    Function 00007FF7C0EAE06D Relevance: .1, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 149495489d485faa79c36df8e66657ef8cb58702ac3091d01e543e78072f834e
                                                                                                    • Instruction ID: 008a65213f772110de57f64842090dd89b205296c0d793c7ac09e6d96e48aa68
                                                                                                    • Opcode Fuzzy Hash: 149495489d485faa79c36df8e66657ef8cb58702ac3091d01e543e78072f834e
                                                                                                    • Instruction Fuzzy Hash: A441B530919A4D8FDB84EF28C895AEEBBF1FF59310F44056AE409D7392CB34A855C781
                                                                                                    Function 00007FF7C0CC251F Relevance: .1, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b1cf2e81e7bf85c9c102e991c959b2f5d584962b1840e4fbe27fe6c4440deba8
                                                                                                    • Instruction ID: 8a78a7ba2a57a2d3586c19c22ad5cfcf83e9951c03b501c69d55a80b01078a8a
                                                                                                    • Opcode Fuzzy Hash: b1cf2e81e7bf85c9c102e991c959b2f5d584962b1840e4fbe27fe6c4440deba8
                                                                                                    • Instruction Fuzzy Hash: D841B8709495894FD359EB78C8692F9BFE0EF56320F4405FED18ACB2E2DE2828468751
                                                                                                    Function 00007FF7C0CD26F8 Relevance: .1, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 60ed7a637013d5069bdce7e9a42420da72ca1ba7801b1e2d0b990982bee8eea0
                                                                                                    • Instruction ID: 672b53e1393da402c588018d601f0dc0bdc9773d83cb0c3369ac98edefa2634d
                                                                                                    • Opcode Fuzzy Hash: 60ed7a637013d5069bdce7e9a42420da72ca1ba7801b1e2d0b990982bee8eea0
                                                                                                    • Instruction Fuzzy Hash: 6931C42170DA0A4FE7A4EB1CA8553F9B7D1EF98265B54417BD10EC3391DE28F8418390
                                                                                                    Function 00007FF7C0CC6600 Relevance: .1, Instructions: 126COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f5b63d9536b30238a2b67939e99b8f86507365180568c1b92e117d5b38a884c0
                                                                                                    • Instruction ID: f62c0e44c8945c600633b1b4878c8133f81bd7d600ec32828e27990fa445e2c0
                                                                                                    • Opcode Fuzzy Hash: f5b63d9536b30238a2b67939e99b8f86507365180568c1b92e117d5b38a884c0
                                                                                                    • Instruction Fuzzy Hash: 30315E31B18D294FEBA8EB1C94597E9B7D1FF98721F4402BAE40ED7385DE24A80247D0
                                                                                                    Function 00007FF7C0EAC118 Relevance: .1, Instructions: 124COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b591ae0bf0a7fe59b4ff2b9514277c86da6fbb077f348d7085dc3cc965357698
                                                                                                    • Instruction ID: b8a071d58c2931f03b85896073dcaf2f39481663b08bb61774d2e33c1503ddf3
                                                                                                    • Opcode Fuzzy Hash: b591ae0bf0a7fe59b4ff2b9514277c86da6fbb077f348d7085dc3cc965357698
                                                                                                    • Instruction Fuzzy Hash: 0441BE30628B095BD714EB18C0616BAB7D2FF98314F904A7CE19FC3295DF24BA1886D1
                                                                                                    Function 00007FF7C0EA0041 Relevance: .1, Instructions: 122COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a03028c89e8cd4644608ebdfa0c8b81a9acf664d37aa1f07eeca1fc7f1605ebc
                                                                                                    • Instruction ID: 477fc194ca1c5ad6a81bd5ff032ce10ff8131be4bc98ffe0a48022132c651f37
                                                                                                    • Opcode Fuzzy Hash: a03028c89e8cd4644608ebdfa0c8b81a9acf664d37aa1f07eeca1fc7f1605ebc
                                                                                                    • Instruction Fuzzy Hash: 8C417A31C19A9D8FEB95EF24C8543EDBBB1EF59310F4401BAD049D72A2DB382954CBA0
                                                                                                    Function 00007FF7C0EA3499 Relevance: .1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c50ce548e82188fe4018a27ec06e627eb87a36a6f85230dc07186df3d695af10
                                                                                                    • Instruction ID: 62bc08fcdc7f45e7a0e804ae6cad2c945488113b16a0b0d710d1e13713f183ee
                                                                                                    • Opcode Fuzzy Hash: c50ce548e82188fe4018a27ec06e627eb87a36a6f85230dc07186df3d695af10
                                                                                                    • Instruction Fuzzy Hash: 9B413470D496198FDB58EFA8D4943ECBBB1EF49320F4004AAE04EA7391CB786895CB40
                                                                                                    Function 00007FF7C0CCA5CD Relevance: .1, Instructions: 120COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 55f0ad5f8081c69874c64df9166d432e4face065a60bae25408176f70f9807e9
                                                                                                    • Instruction ID: 7f87ce9542163b3fbb1d1f721d81bf3e0514ed3e65c33c7a52219e73119a6863
                                                                                                    • Opcode Fuzzy Hash: 55f0ad5f8081c69874c64df9166d432e4face065a60bae25408176f70f9807e9
                                                                                                    • Instruction Fuzzy Hash: 94314721A0CA064BD728BB6CA8524F9B7E0EF95374714427FD19EC3283EE24B45783D5
                                                                                                    Function 00007FF7C0CDAB48 Relevance: .1, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4499019d5b8765531cf76b96290d1810a2519d403183d0f7d2cd7755b4deb0c0
                                                                                                    • Instruction ID: 685f8d174edfe86b375fb62d819c3eafc12a0754a27e8a9e1ef670780e81c2de
                                                                                                    • Opcode Fuzzy Hash: 4499019d5b8765531cf76b96290d1810a2519d403183d0f7d2cd7755b4deb0c0
                                                                                                    • Instruction Fuzzy Hash: 5831F071A189184FDB64EB2CA4497E8B7E0EF59320F4441BAE00DC7296CE24780187D4
                                                                                                    Function 00007FF7C0CC955B Relevance: .1, Instructions: 118COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fb64415e93b7112ce7766be1be9a05078c770ac517b5e2498c9b69c2f0f85c72
                                                                                                    • Instruction ID: f32921e94cdbd2254b8a251a51004d90f7089fac3a69984a245f77e2a3491ec8
                                                                                                    • Opcode Fuzzy Hash: fb64415e93b7112ce7766be1be9a05078c770ac517b5e2498c9b69c2f0f85c72
                                                                                                    • Instruction Fuzzy Hash: ED31A15060EAC25FD317573898643A5BF71FF5726030942EBC09ACB2D7DA28685AC7D2
                                                                                                    Function 00007FF7C0CD851A Relevance: .1, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ea3bea3716fac6e0fb5a1f2ea8d549c8009fac22da3810f0c7cf5d097c34b62d
                                                                                                    • Instruction ID: 816710d290c77b251baeac7fd743cbdad932a8508b54b48e5cd6bae8888a67f2
                                                                                                    • Opcode Fuzzy Hash: ea3bea3716fac6e0fb5a1f2ea8d549c8009fac22da3810f0c7cf5d097c34b62d
                                                                                                    • Instruction Fuzzy Hash: A4215A3160C7494FE7A9AA1DEC85BB277D0DF56330F0501AAE58EC72A2DE14FC068791
                                                                                                    Function 00007FF7C0EA9CB0 Relevance: .1, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 02af7b4b3aea0fc7b8c595afa8301023776e328c12ec330b31dd457586f33657
                                                                                                    • Instruction ID: 0a4d5579d0bcc7ce471db737468726556eb65e69194314140ee8814a74029676
                                                                                                    • Opcode Fuzzy Hash: 02af7b4b3aea0fc7b8c595afa8301023776e328c12ec330b31dd457586f33657
                                                                                                    • Instruction Fuzzy Hash: 7341D474D0892D8FDBA5EB68C894BE9B7B1FF58310F5041A9D04DE7292CB786A85CB40
                                                                                                    Function 00007FF7C0EA3B78 Relevance: .1, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b5b05b056928751d453b05b46f6d5ae57028684157211b972855841d4600a75c
                                                                                                    • Instruction ID: f6fadce10ea3402f9b8421ba0775a0e9bb23ba8a98beb031984a872f3b6bda39
                                                                                                    • Opcode Fuzzy Hash: b5b05b056928751d453b05b46f6d5ae57028684157211b972855841d4600a75c
                                                                                                    • Instruction Fuzzy Hash: 1C31F530658B464FD7A4EF38C495666BBE0FF89320B44057ED48BC3696DB28F851C791
                                                                                                    Function 00007FF7C0CC474B Relevance: .1, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c9a6a8c82ef39414208df6c9a7e8f48945a3bc4f9c49d6c79230ad3cdeacf213
                                                                                                    • Instruction ID: 590d3f198a95ac4f1f0c1d7c74ee5924d52c13d25a07b69103134e8cd7808cc0
                                                                                                    • Opcode Fuzzy Hash: c9a6a8c82ef39414208df6c9a7e8f48945a3bc4f9c49d6c79230ad3cdeacf213
                                                                                                    • Instruction Fuzzy Hash: DB41BA7080A6998FD754EFA8D8556EDFBF0EF46220F9454B9E149E3292CB382805CB64
                                                                                                    Function 00007FF7C0CD197F Relevance: .1, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a10839b8ff0d36016a72462078a17f4aacd5a1714c2f7bb86620fdd4a6d04af3
                                                                                                    • Instruction ID: 185dd5d395b958917e914241bb2a7f3233c8b66899cd37bdc8b1c8d4aa699230
                                                                                                    • Opcode Fuzzy Hash: a10839b8ff0d36016a72462078a17f4aacd5a1714c2f7bb86620fdd4a6d04af3
                                                                                                    • Instruction Fuzzy Hash: BF31A031A1C9584F9754EB6CA85A5F9BBE1EF58220B4411BAE40DD3252DE206C1287C5
                                                                                                    Function 00007FF7C0CCF6B5 Relevance: .1, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6fce2a91a3424414cb59a8d229733a542dc72b9df4b8e2f21f527e88abc538cb
                                                                                                    • Instruction ID: b0a354351e46a5b7979da5687e338adb2d2f9cba7647c0ca4cb4de8b9cbffdc6
                                                                                                    • Opcode Fuzzy Hash: 6fce2a91a3424414cb59a8d229733a542dc72b9df4b8e2f21f527e88abc538cb
                                                                                                    • Instruction Fuzzy Hash: E031F52194EAC61FD306A73488666E5BFA1EF87250B4941FBD089CB293DE1C740A8392
                                                                                                    Function 00007FF7C0CC2831 Relevance: .1, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 04739e5f7ec84b7fa9be7fdb85bd85917df57425045662278c9f8095d447e792
                                                                                                    • Instruction ID: 6eeeab3356f708b4db5cf3192ed715b8ac86ad9a465ecb8e857528eb1454b79d
                                                                                                    • Opcode Fuzzy Hash: 04739e5f7ec84b7fa9be7fdb85bd85917df57425045662278c9f8095d447e792
                                                                                                    • Instruction Fuzzy Hash: 6E31F43090DA899FDB55EBA8C4456EDBBF0FF46320F5402EAD149DB292CB3CA542C751
                                                                                                    Function 00007FF7C0EA3AD0 Relevance: .1, Instructions: 100COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1ea3a53c458f01e54c286580eac8e340d339b55965ebfdccb0df3f0d9579e878
                                                                                                    • Instruction ID: 577b7830d234e1ce1f4ec05dd179b51768bcbdea933040e524a0492541580c39
                                                                                                    • Opcode Fuzzy Hash: 1ea3a53c458f01e54c286580eac8e340d339b55965ebfdccb0df3f0d9579e878
                                                                                                    • Instruction Fuzzy Hash: 3121E031BA8A064BD778FD2C9886536B7D6EB8D3207545639E4CFC3781DA24BC2243E1
                                                                                                    Function 00007FF7C0EA9E24 Relevance: .1, Instructions: 100COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 46294f3cd3ac71faf3c7763a3caa632c5f0f4aebe49eb8d1ad3c03939ff8158e
                                                                                                    • Instruction ID: dd391a32c4b90d318f696132cfb11209383a6db72e263973714112fd8ed4ae96
                                                                                                    • Opcode Fuzzy Hash: 46294f3cd3ac71faf3c7763a3caa632c5f0f4aebe49eb8d1ad3c03939ff8158e
                                                                                                    • Instruction Fuzzy Hash: 3431F570E4961C8EDBA4EF5494507FCBBB1EF59320F9050BAD00EE3291CB396A94CB50
                                                                                                    Function 00007FF7C0CC0540 Relevance: .1, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 72a11cf09b8823a4e6ab283d3fae10c50ef584f262779262ff27ea79b0aedaae
                                                                                                    • Instruction ID: 16918d598a769ba514af8aec46d12b739d54c4a21e0720284787cef3e6bc88c6
                                                                                                    • Opcode Fuzzy Hash: 72a11cf09b8823a4e6ab283d3fae10c50ef584f262779262ff27ea79b0aedaae
                                                                                                    • Instruction Fuzzy Hash: 97315A31E08A1D8FEB98EF68D4556EEB7B2FF59320F50057AD009E3282CF75A8458791
                                                                                                    Function 00007FF7C0CCABB5 Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a298b9c0a9b2baddf0114400c165b6cf1b6dc5dea9a99e8383a9ca13a22f2eb0
                                                                                                    • Instruction ID: 1219286e09835384dc3bf2d2bad75ecad6f6f7418cdb36cd0eb617a42c834b92
                                                                                                    • Opcode Fuzzy Hash: a298b9c0a9b2baddf0114400c165b6cf1b6dc5dea9a99e8383a9ca13a22f2eb0
                                                                                                    • Instruction Fuzzy Hash: E9210760A0DE4A4FD362A72998987F5B7A1FF59364B0402BBC04EC3392DF28784683D1
                                                                                                    Function 00007FF7C0CCA588 Relevance: .1, Instructions: 97COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 82dbec2e403baeb6c60dd0c150bdffb614b0b57b2c178010fee1b4cf19f9ae66
                                                                                                    • Instruction ID: 08c8c3471407b0fcdd2d9b0bac47f788c04b46c169cf6aac045cc62dd95c5765
                                                                                                    • Opcode Fuzzy Hash: 82dbec2e403baeb6c60dd0c150bdffb614b0b57b2c178010fee1b4cf19f9ae66
                                                                                                    • Instruction Fuzzy Hash: 4B210730A0CB054BD728BB28A8424F5B3E4EF55324714466FD09EC3687EE24B85687C5
                                                                                                    Function 00007FF7C0CD398D Relevance: .1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aaa08182c2e3fd238a59ba43a777492d50e005b16b468b17b7f4aa19b62509dc
                                                                                                    • Instruction ID: 48c5eae2725d38c198993bec5099efee771541a7a44c4bbf9d946a6737f9202c
                                                                                                    • Opcode Fuzzy Hash: aaa08182c2e3fd238a59ba43a777492d50e005b16b468b17b7f4aa19b62509dc
                                                                                                    • Instruction Fuzzy Hash: EF216F20B18A4A4FEBA4EF6DD494BB5B3D1EF58310B840479D08FC7692CE28F8418790
                                                                                                    Function 00007FF7C0CC4C21 Relevance: .1, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a71a4d1c6fb08afe8716ef1d552d4c17d55a9460d378e21d5c7f0c138398c7e4
                                                                                                    • Instruction ID: f4f31d6f77f2996bb10b64686bc22a383b3f88b4b93a5277d1a68619b8838d2a
                                                                                                    • Opcode Fuzzy Hash: a71a4d1c6fb08afe8716ef1d552d4c17d55a9460d378e21d5c7f0c138398c7e4
                                                                                                    • Instruction Fuzzy Hash: 8521A370D09A4D9FDB55EFA8C8556EDBBF0FF59320F0405ABE049D32A1CB246841C791
                                                                                                    Function 00007FF7C0CDAF08 Relevance: .1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0eaf2094d359b691d7fd137cecf21e48ae227c66c734122d83ad75053c8673a3
                                                                                                    • Instruction ID: dc94544a593c40c51e49695bec5e4dcdf1028d2e071fb13639016ea0de16a95d
                                                                                                    • Opcode Fuzzy Hash: 0eaf2094d359b691d7fd137cecf21e48ae227c66c734122d83ad75053c8673a3
                                                                                                    • Instruction Fuzzy Hash: D021D33190CA0C4FDB68EA189806AFD77E1EF89230F44017AE509D3392DE25BC1287D0
                                                                                                    Function 00007FF7C0CDB760 Relevance: .1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ef3ca43938af8ae9d4ee5b9c431e3d7d26f180451a52f5382a1edfa0b5122c20
                                                                                                    • Instruction ID: bac02e64e512d8d7b7c5a4f2c883d45438721f8829408691f02fba83ec53cf56
                                                                                                    • Opcode Fuzzy Hash: ef3ca43938af8ae9d4ee5b9c431e3d7d26f180451a52f5382a1edfa0b5122c20
                                                                                                    • Instruction Fuzzy Hash: D1219530918A4D8FDB95EF1884546EABBF4FF69355F41007AD549D3291CB38A841CBE0
                                                                                                    Function 00007FF7C0CD38C0 Relevance: .1, Instructions: 94COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9b80b68d39722c39b6adfd07cb3900eca940d5d63ddb06db4f3537208a2e3677
                                                                                                    • Instruction ID: dabc61c9068a48686fb1756768ffc92eee5e7b852ab597f7c3e552e8cce52a82
                                                                                                    • Opcode Fuzzy Hash: 9b80b68d39722c39b6adfd07cb3900eca940d5d63ddb06db4f3537208a2e3677
                                                                                                    • Instruction Fuzzy Hash: 0F31D43050CB8A4FD7A5EF2CC4A4AB2BBD1EF59314B0445AED09EC72A2CA69F445C751
                                                                                                    Function 00007FF7C0EABD58 Relevance: .1, Instructions: 93COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7f3eabbbabfabcc3a27a088e7fa7ed8ab90e21f6596e039161fe3a898703d55d
                                                                                                    • Instruction ID: c03975d16375f46a2fdd4c1720d5e6a4572518022fa5b26a0bfc00056fb22d78
                                                                                                    • Opcode Fuzzy Hash: 7f3eabbbabfabcc3a27a088e7fa7ed8ab90e21f6596e039161fe3a898703d55d
                                                                                                    • Instruction Fuzzy Hash: 8421C231918B498BE319FF28C8486B5BBD0FF58314F50057ED44EC32A2DB25B841C792
                                                                                                    Function 00007FF7C0EA3385 Relevance: .1, Instructions: 93COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8f8754b603bf29fe3b3aa8e7387101ec30efa9ccb4803945cd97e701bccacd4d
                                                                                                    • Instruction ID: 087490e1eeceb416beeff318135138e67c28fe5863a4576dbda610df53105361
                                                                                                    • Opcode Fuzzy Hash: 8f8754b603bf29fe3b3aa8e7387101ec30efa9ccb4803945cd97e701bccacd4d
                                                                                                    • Instruction Fuzzy Hash: 78315E708495498FDB45EBA888957ECBBF1EF19310F5445EDD08DE7391CA386986CB00
                                                                                                    Function 00007FF7C0CC770A Relevance: .1, Instructions: 93COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 55cefc9809a9124436c3b9727602179cf7cc4d6efd9a093f64f6ececc8957ede
                                                                                                    • Instruction ID: 00db464d9ce8efcd6211a966ef9910a26294e033c9e518f52f4d4dcb7646283e
                                                                                                    • Opcode Fuzzy Hash: 55cefc9809a9124436c3b9727602179cf7cc4d6efd9a093f64f6ececc8957ede
                                                                                                    • Instruction Fuzzy Hash: 8831FB30D1890D8FDB54EF68C4996EDBBF1FF59310F941179D10AE3681CB38A9928B90
                                                                                                    Function 00007FF7C0CC7B85 Relevance: .1, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 42b8ca745cd088f3e111ea99731570d7de5f5aa0eac1e53407f066d685fd8cae
                                                                                                    • Instruction ID: d110bfa9b9c9e6fe678982894e465e38c78581108ebe8ca22971a95517a4e5d9
                                                                                                    • Opcode Fuzzy Hash: 42b8ca745cd088f3e111ea99731570d7de5f5aa0eac1e53407f066d685fd8cae
                                                                                                    • Instruction Fuzzy Hash: 3021E534C0860E8BE774BE24D0806E8F7A0EF46321F901279D11CD7291DB39AA66C790
                                                                                                    Function 00007FF7C0CC47F4 Relevance: .1, Instructions: 88COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 02a7184ffaeb0ccc499d090c1983030704398c0fd725b49a38af942da9b7aacc
                                                                                                    • Instruction ID: e4d55f9d330bd2ccae30131490c4332e6d6705b075df87fdc532d4d8682ad0ae
                                                                                                    • Opcode Fuzzy Hash: 02a7184ffaeb0ccc499d090c1983030704398c0fd725b49a38af942da9b7aacc
                                                                                                    • Instruction Fuzzy Hash: 2C31F620D4A64A8EEB64EF64D4556FDF7B0EF05320F902479E609E3282CB287840CBA4
                                                                                                    Function 00007FF7C0EAB3F1 Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc2c6c9c52e3a09a1c6da5de17d6c216d6276fad71b7cba1c424b7d148e1cf5b
                                                                                                    • Instruction ID: 85b96783d8056d07ac04c74ccf79dc7a064a1def1e98cd25e83af65c4a7d96d7
                                                                                                    • Opcode Fuzzy Hash: bc2c6c9c52e3a09a1c6da5de17d6c216d6276fad71b7cba1c424b7d148e1cf5b
                                                                                                    • Instruction Fuzzy Hash: 2521C73140D7899FCB4AEF28C8559E67FE0FF56320B0501ABE059C71A3D624E856C7E1
                                                                                                    Function 00007FF7C0CD4359 Relevance: .1, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a2f0625d6a4934d84ee058bac79a3186e300b2eececac20406b152ae2cc15ab9
                                                                                                    • Instruction ID: 733c8bece790d3c6c97f64fcb7f3bc86604149408b29f024f64b917f3e64fbb9
                                                                                                    • Opcode Fuzzy Hash: a2f0625d6a4934d84ee058bac79a3186e300b2eececac20406b152ae2cc15ab9
                                                                                                    • Instruction Fuzzy Hash: 4A110422A4DA0E0FE794EB2C68557F5B7D1EF89261B44017BD60CC33A2DE1DF8424390
                                                                                                    Function 00007FF7C0CDB926 Relevance: .1, Instructions: 83COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 34880bf2a8c69ad0fe17837f9bc0d046b6c602b73a9f9e0887af09859010972c
                                                                                                    • Instruction ID: 53144701e1518c9a158b57c174d26b520a8e7b97b6dcfa4d4694de17d3da4b9f
                                                                                                    • Opcode Fuzzy Hash: 34880bf2a8c69ad0fe17837f9bc0d046b6c602b73a9f9e0887af09859010972c
                                                                                                    • Instruction Fuzzy Hash: 4721A230A18A0D8FDF94EF5CC496EAABBE1FF68351B4400A9E509D3361CB25E8518B90
                                                                                                    Function 00007FF7C0CD4A25 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 59a3b88857be9657d7070b774c3d3730b4d8990788f7c0bf71fc998ec5c38ca2
                                                                                                    • Instruction ID: 23e029389011edcd3d4c95b687acb735f2fa11a06064d015946a7f9c8543f783
                                                                                                    • Opcode Fuzzy Hash: 59a3b88857be9657d7070b774c3d3730b4d8990788f7c0bf71fc998ec5c38ca2
                                                                                                    • Instruction Fuzzy Hash: 5911223174EA855FC3569B3E2C682A0BBD0EF8A31131A02EBD54CC76B3CA24AC1183D5
                                                                                                    Function 00007FF7C0CD5531 Relevance: .1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 944a467e6dfa0987a4120cb379166550eca51ef89645777559c6914fb6e6f273
                                                                                                    • Instruction ID: 1a5f8a21f7ca9455c9b89b058eb71a09bca772796c4c37f3c1704a4b6dc2290e
                                                                                                    • Opcode Fuzzy Hash: 944a467e6dfa0987a4120cb379166550eca51ef89645777559c6914fb6e6f273
                                                                                                    • Instruction Fuzzy Hash: 00210A7050CB859FD315BB28C8193A9FBE0FF99351F4409BBD58AC3292DE34E9458782
                                                                                                    Function 00007FF7C0CC2B29 Relevance: .1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bdc16e79a54d0c26b2cc89eee8e045de28fb8fa80e66679b51930252fbae1d5f
                                                                                                    • Instruction ID: 4db2a766dcaa8451e7ce5548302262c644a953341a3750fa38827b53574cd16c
                                                                                                    • Opcode Fuzzy Hash: bdc16e79a54d0c26b2cc89eee8e045de28fb8fa80e66679b51930252fbae1d5f
                                                                                                    • Instruction Fuzzy Hash: C721F93044E6CA8FD746EFB089166EABFA0EF46350F0405EFE48AC7193CA6C6515C391
                                                                                                    Function 00007FF7C0CDA738 Relevance: .1, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 91a46ae33d24e39b12ad4d28e866ff9dd2164a77141516f4148f4a7db21f350b
                                                                                                    • Instruction ID: 3e90f9da292a96fdc290c4e4f1a9444d0d0364b87fe8f8979851be19f712d9a1
                                                                                                    • Opcode Fuzzy Hash: 91a46ae33d24e39b12ad4d28e866ff9dd2164a77141516f4148f4a7db21f350b
                                                                                                    • Instruction Fuzzy Hash: 4F110391A0DA160BF6357769A8063F9ABD0DF42339F544376D24DC0283DF19344282E9
                                                                                                    Function 00007FF7C0CC277E Relevance: .1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 12756c5a9137433d2ef400fa522698658bc8f1d635b4994c79a53fd248c4ffbc
                                                                                                    • Instruction ID: 62059a978e045c94b999842333bf96cf05a5bf064e35cb5b33600e11a5b45fcc
                                                                                                    • Opcode Fuzzy Hash: 12756c5a9137433d2ef400fa522698658bc8f1d635b4994c79a53fd248c4ffbc
                                                                                                    • Instruction Fuzzy Hash: 2721D37090C68C9FDB41FBB8C855AEEBFF0FF99321F0400A6E145D3292DA28A555CB91
                                                                                                    Function 00007FF7C0CC2085 Relevance: .1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dc5fb79e80419b4165c719efbd03f8515a339c2cbf12ad3a404074cba30b8af9
                                                                                                    • Instruction ID: 62f24ac07f35fe97aba476c91d1d0a6ce85e26fbe17657a649539926c40f30cb
                                                                                                    • Opcode Fuzzy Hash: dc5fb79e80419b4165c719efbd03f8515a339c2cbf12ad3a404074cba30b8af9
                                                                                                    • Instruction Fuzzy Hash: AF118E3190866D8FDB54EE28D8406FEB7B0FF4A324F41117AE00DE3291CB79A919CB95
                                                                                                    Function 00007FF7C0CD8214 Relevance: .1, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e1cb44221eea5a67df05ccb1706566b317beca998e218560dc701526f8a2851c
                                                                                                    • Instruction ID: f6187df48da142f68ad887220b702de25e756eea0a0e9e3f1261ae58b4b1695b
                                                                                                    • Opcode Fuzzy Hash: e1cb44221eea5a67df05ccb1706566b317beca998e218560dc701526f8a2851c
                                                                                                    • Instruction Fuzzy Hash: 9821B171419B854FC34BAB7488611917FB0FF47325B1A04EBC185CF5B3E629A84AC761
                                                                                                    Function 00007FF7C0CD4A40 Relevance: .1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 31a90ade3a00a05c6e4c9a86c35fadc1708685a9a2cc173b442f7e9e89314303
                                                                                                    • Instruction ID: 22a3dc195ee8d4b8a23dda23fb4cba5685c4130e0f7b330fd18df711739ed529
                                                                                                    • Opcode Fuzzy Hash: 31a90ade3a00a05c6e4c9a86c35fadc1708685a9a2cc173b442f7e9e89314303
                                                                                                    • Instruction Fuzzy Hash: 5111443170ED080FD7949A6E3C983A5B7C0EF8832634A02BBE90CC3362CE619C5183C5
                                                                                                    Function 00007FF7C0EA9DBA Relevance: .1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5954cdd850638f2b1f3ab0194aefd0eb9582f5f41905f67f6fb9253134273153
                                                                                                    • Instruction ID: 9e8e36f940368f18766a447508fd6678d96c34e0fc1c3231d176f90836f867ee
                                                                                                    • Opcode Fuzzy Hash: 5954cdd850638f2b1f3ab0194aefd0eb9582f5f41905f67f6fb9253134273153
                                                                                                    • Instruction Fuzzy Hash: 2221F834A495198FDBA0EF588890BF8BBF5EF5D320F5050A9D04DE7251CB34A995CF50
                                                                                                    Function 00007FF7C0CD23FA Relevance: .1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fbae401ad91af004155871b52ea3ac5affd2f618fd9436628f76557d32b3a384
                                                                                                    • Instruction ID: d0608d3e57375e6e433c7a9dbcd649ed8f2b775c1d24a59a54d0bc0ef227f5b7
                                                                                                    • Opcode Fuzzy Hash: fbae401ad91af004155871b52ea3ac5affd2f618fd9436628f76557d32b3a384
                                                                                                    • Instruction Fuzzy Hash: D7115C50A0D7C50FD765A73948492F5BFD1EF9A161B4841FBC54CC72A3D91CA84583E1
                                                                                                    Function 00007FF7C0CC90D1 Relevance: .1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 31c7bf147b59e7a82ec19ea14139b13352668946b1e46183c9a0880ab11160b8
                                                                                                    • Instruction ID: 3abd5572531dcc6b1becfff4d472f7917009fb953e5a731778cda7dee5fdf3bd
                                                                                                    • Opcode Fuzzy Hash: 31c7bf147b59e7a82ec19ea14139b13352668946b1e46183c9a0880ab11160b8
                                                                                                    • Instruction Fuzzy Hash: C8115720A0D9891FC365EB3894542F5FBE0FF89220B4405EAD04AC3296CF28752583D1
                                                                                                    Function 00007FF7C0CD8468 Relevance: .1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 484659ac524647de4359835802004923138f16dfd53bd493db49d9ddf3c18d08
                                                                                                    • Instruction ID: 223f0f13774bfc267dbfe5eaf196fce40edac5753e6b6e917e5e3c7438f16cce
                                                                                                    • Opcode Fuzzy Hash: 484659ac524647de4359835802004923138f16dfd53bd493db49d9ddf3c18d08
                                                                                                    • Instruction Fuzzy Hash: EF110831D2CF494BD769AB1988A5AB6B7D0FF98725F40043EE58BC3750CF28B4458792
                                                                                                    Function 00007FF7C0EAB40B Relevance: .1, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eb787c8f079363df31da4fa65b53ee37a34f2289059efaec377a99da44903a09
                                                                                                    • Instruction ID: 787db81045c30db0f9f5cebf66666cc7dbca92b329d309da52cecc98c6d8058d
                                                                                                    • Opcode Fuzzy Hash: eb787c8f079363df31da4fa65b53ee37a34f2289059efaec377a99da44903a09
                                                                                                    • Instruction Fuzzy Hash: 78116D3050DA4D8FCB49EF18C8969EA7BE0FF66320B0005AAE459C7262D734E865CB91
                                                                                                    Function 00007FF7C0EA32C7 Relevance: .1, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dee6c04daff3f327548803b4b8a8a6c2acbaa3dd521bb02dbdce132594e21bd2
                                                                                                    • Instruction ID: 2c636b10617fc3bb45bc4db72a78ddcf2e20b111f85afb47dd2a0a7a8e2ac64e
                                                                                                    • Opcode Fuzzy Hash: dee6c04daff3f327548803b4b8a8a6c2acbaa3dd521bb02dbdce132594e21bd2
                                                                                                    • Instruction Fuzzy Hash: AC214F70918B5D8FDB95EF28D855BE977B0FF59310F4005AAE41CD3291CB346845CB81
                                                                                                    Function 00007FF7C0EA6F39 Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a28284d31761a331961d8f0044e02fd1ffda6a3089f18a0b5def014fd13398cf
                                                                                                    • Instruction ID: 2fdb779dd5b1a6789ff981f965b599f6ccdb371102036513de80f73b0ab371e9
                                                                                                    • Opcode Fuzzy Hash: a28284d31761a331961d8f0044e02fd1ffda6a3089f18a0b5def014fd13398cf
                                                                                                    • Instruction Fuzzy Hash: B711E639E486154FD668FE249040231BAE6FF9E329B50417DD04AC73C5DB25FC42C2E0
                                                                                                    Function 00007FF7C0EA4710 Relevance: .1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ae9aad255473eaa1a5f29cc0a0bc12ba150a388dff542d167f1cd0fb891c4b51
                                                                                                    • Instruction ID: 28d5a9ce761fa9fd3301b98fcd2fb1de371812760209f722f36c6e952178fcd9
                                                                                                    • Opcode Fuzzy Hash: ae9aad255473eaa1a5f29cc0a0bc12ba150a388dff542d167f1cd0fb891c4b51
                                                                                                    • Instruction Fuzzy Hash: 51214A70628B458FC7A4EF28C581922B7E1FF89314784196EE88BC3B51DB30F8418B81
                                                                                                    Function 00007FF7C0CC274D Relevance: .1, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0693ef62e5c7e59a0cd909a52f4804a3c8762c5b1cd0f9ebbbc7e378051b58a8
                                                                                                    • Instruction ID: 6adf5209c900439b2d8526c86bd67b8e0884336ed7fc94e7e0bd9f8025c4fb3b
                                                                                                    • Opcode Fuzzy Hash: 0693ef62e5c7e59a0cd909a52f4804a3c8762c5b1cd0f9ebbbc7e378051b58a8
                                                                                                    • Instruction Fuzzy Hash: 6F11D37090854C9FDB41EFA8C459BEEBFF0EF49321F0400AAE149D32A2DB286885CB51
                                                                                                    Function 00007FF7C0CCB46E Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f19278e73c8b4809371d55e6b86df194600ff4694d14ea1a6b0f9b779dd57414
                                                                                                    • Instruction ID: f39bacecfa020cc3ba0e61e1312602d7e9904ba2d95f31047cd2015e79664ba6
                                                                                                    • Opcode Fuzzy Hash: f19278e73c8b4809371d55e6b86df194600ff4694d14ea1a6b0f9b779dd57414
                                                                                                    • Instruction Fuzzy Hash: 60111E70B1C9189FDB68EB5CE4556ACB7E1FF98721B4001AAE009D3396CF20BC428BC5
                                                                                                    Function 00007FF7C0CC2A6E Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 927e7467a476299efe16aeea3ecc3090e8fcc37d5960e889b60be249073f8195
                                                                                                    • Instruction ID: 33c560cdf24c83c1a01adc6b5b41c5e72d537205f73d1f9335c3488384716f26
                                                                                                    • Opcode Fuzzy Hash: 927e7467a476299efe16aeea3ecc3090e8fcc37d5960e889b60be249073f8195
                                                                                                    • Instruction Fuzzy Hash: 47119170D08A499FDB50EFA8C0955EDFBF0FF59321F5411AAD548D7242CB38A8828B91
                                                                                                    Function 00007FF7C0CD97B4 Relevance: .1, Instructions: 61COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d64a3be65f7f8680c85db2fb544a78b6d6f3fd13a24cd01cc34626ca35710f77
                                                                                                    • Instruction ID: 9b8acdd7e09255afc642e3154c9f91c9d1a02fb224db65ea209dec200d25a08e
                                                                                                    • Opcode Fuzzy Hash: d64a3be65f7f8680c85db2fb544a78b6d6f3fd13a24cd01cc34626ca35710f77
                                                                                                    • Instruction Fuzzy Hash: 4411827084A98C9FDB51EFA8C4956E9BFF1EF56210F14559AC089D7352CA389486CB40
                                                                                                    Function 00007FF7C0CD91FD Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 280cb0d5eb1a8ead3789928f90c3b77a28f87ed5d08dfa88624cc303eedd1614
                                                                                                    • Instruction ID: ca3a63e0bea3ae4e8ad860ed86d358bcc989d6d4533b5bfb04e82dfa0889dcba
                                                                                                    • Opcode Fuzzy Hash: 280cb0d5eb1a8ead3789928f90c3b77a28f87ed5d08dfa88624cc303eedd1614
                                                                                                    • Instruction Fuzzy Hash: 0011C270D0DA4D9FDB51AF68D8552E9FBB0FF4A310F4002A6D149D3292CB39A45587C1
                                                                                                    Function 00007FF7C0CC6CD8 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b6ea9a88bef2cf7ed0bdccab9b412c2b5cc3ec10872aafa4a1034d5612671e1d
                                                                                                    • Instruction ID: 41f117143cd94529a14ada7dbe2bfe27d98ff11d616805996ceb751a39713521
                                                                                                    • Opcode Fuzzy Hash: b6ea9a88bef2cf7ed0bdccab9b412c2b5cc3ec10872aafa4a1034d5612671e1d
                                                                                                    • Instruction Fuzzy Hash: 4E11DF30E0891D8EDBA8EF98C4957ECB7B1FF59311F8010BAC10EE6252DB3069808B50
                                                                                                    Function 00007FF7C0CCDFB3 Relevance: .1, Instructions: 59COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: cdd5d88c1dd2d254c38d26dfc63c41b3eb1191fa9cb89a7c07b60d1d4b5dd2c9
                                                                                                    • Instruction ID: 96bfb099de366ece186b46dd2bd6cb4673e5c7689640ea518288c1401764718b
                                                                                                    • Opcode Fuzzy Hash: cdd5d88c1dd2d254c38d26dfc63c41b3eb1191fa9cb89a7c07b60d1d4b5dd2c9
                                                                                                    • Instruction Fuzzy Hash: 1011FE70A0492A8FE7A9EB68D8957E8B3A1FF58315F5102FAD11DD3252CF3469918F80
                                                                                                    Function 00007FF7C0CDA6E8 Relevance: .1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8d1c9a6d0e4050ce3fd600d57d9890fc5372bd9de1c604b252fe62d0a08b70a0
                                                                                                    • Instruction ID: 516b28376a9ea1f7634eac83aacebc1877c8dc001a5196d16779cbf3ef39850d
                                                                                                    • Opcode Fuzzy Hash: 8d1c9a6d0e4050ce3fd600d57d9890fc5372bd9de1c604b252fe62d0a08b70a0
                                                                                                    • Instruction Fuzzy Hash: D501F261B0EA165FEB78A62D68493F5F7D4EF89235F00027BD10EC2281DF65788683D4
                                                                                                    Function 00007FF7C0CD6F23 Relevance: .1, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4ae991dd7ff4b4111ac49fbd492b06a594449a9c620b6feb9bc9df58479c9a74
                                                                                                    • Instruction ID: 63629c32f35acf3c6aa1ab64bef22cad885fd237553f5a8a29e648d997add636
                                                                                                    • Opcode Fuzzy Hash: 4ae991dd7ff4b4111ac49fbd492b06a594449a9c620b6feb9bc9df58479c9a74
                                                                                                    • Instruction Fuzzy Hash: 7301317130890D8F9788EB1DA84566473D1EB992223551096D40EC7666DE32EC938785
                                                                                                    Function 00007FF7C0CDC519 Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5701364e8182d3f3ee35389dd694648ba48e511272d621fbebda519e483e1e90
                                                                                                    • Instruction ID: 7a7382deab2749d1664766c6c141e15f2932da634122c8bd2012fdba574f3567
                                                                                                    • Opcode Fuzzy Hash: 5701364e8182d3f3ee35389dd694648ba48e511272d621fbebda519e483e1e90
                                                                                                    • Instruction Fuzzy Hash: 5B0149B1B0EB465FC766A33C98513F5BFD0EF8522070542A7C089C3282CE18A88783E2
                                                                                                    Function 00007FF7C0CCC8F1 Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 180b9d9c7662a67ef21e436f5676fa6ae2fc2c6b43838d11a24ae81de2d487d6
                                                                                                    • Instruction ID: fa32fd004c5ec5be186de74ed6b4faf98ee222bffb0113fd56b92d98ac2f7de4
                                                                                                    • Opcode Fuzzy Hash: 180b9d9c7662a67ef21e436f5676fa6ae2fc2c6b43838d11a24ae81de2d487d6
                                                                                                    • Instruction Fuzzy Hash: B201456084E1C96FD712AB788CA41F6BFF4DE47225F0814EBE0D9C7193DA242656C392
                                                                                                    Function 00007FF7C0CDA885 Relevance: .1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c02486df5b08927c6436eb745dd7bdfcee21a21d5cb497c1f5ca94e5ffc512cd
                                                                                                    • Instruction ID: 6d8237b6217f12b52657e98912d62d74f4ce22d0964ecf7a2b17c8db1e0353db
                                                                                                    • Opcode Fuzzy Hash: c02486df5b08927c6436eb745dd7bdfcee21a21d5cb497c1f5ca94e5ffc512cd
                                                                                                    • Instruction Fuzzy Hash: 6E01D631A18A480FE394EA18D8997F5B7D1EF99365F5400BAD50CC73E2DE1AAC418341
                                                                                                    Function 00007FF7C0CCFC38 Relevance: .1, Instructions: 52COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d162091cf14ff8a97a71de3372a90f740e977a10c5c003ced4ec45b1f5c7506a
                                                                                                    • Instruction ID: 772d9295bb9cf825912970a27baeb8d1b254d8c669ada522673d55025522a757
                                                                                                    • Opcode Fuzzy Hash: d162091cf14ff8a97a71de3372a90f740e977a10c5c003ced4ec45b1f5c7506a
                                                                                                    • Instruction Fuzzy Hash: 12F0463160DA891FD345976CD8112E1BBD0EF85225F1401FBE488C33A1DA6FA85383C1
                                                                                                    Function 00007FF7C0CCB95D Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f8c60958c82b0efcf1715bee4f2b9fe6b561bf0bd34871311fb63673b5dfe302
                                                                                                    • Instruction ID: 2ef3ce86349c967ef0c35e37f701a2aad893e280b8710025079a19deb52e96b9
                                                                                                    • Opcode Fuzzy Hash: f8c60958c82b0efcf1715bee4f2b9fe6b561bf0bd34871311fb63673b5dfe302
                                                                                                    • Instruction Fuzzy Hash: 0411CE60A1DFC54EC326A77588647A2BBB0BF52200F4455AEC0CAC7293DE687848C7A2
                                                                                                    Function 00007FF7C0CCB980 Relevance: .1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a27a46136ee77b9c63fc8f7c69a7fe8677759c658eb54abaff6d07d788364609
                                                                                                    • Instruction ID: bb3c14b1f2c3fac003f8a4bec7f65df2ab9cc2e877bb377e6f25b87bf08d38d1
                                                                                                    • Opcode Fuzzy Hash: a27a46136ee77b9c63fc8f7c69a7fe8677759c658eb54abaff6d07d788364609
                                                                                                    • Instruction Fuzzy Hash: 42019261E24E558AD364AB29D0957F6B3E1FF94314F80592DD08FC3386DF7878418791
                                                                                                    Function 00007FF7C0CD42C8 Relevance: .0, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: dee58312af3ea56c03cbc85e8ab98652110d9c44d0f767349b081a8ab88807b5
                                                                                                    • Instruction ID: a0db4ad27bf07424ef8dc27dfc8b138db5ab8b4550d385eae9c882e48ffcddfa
                                                                                                    • Opcode Fuzzy Hash: dee58312af3ea56c03cbc85e8ab98652110d9c44d0f767349b081a8ab88807b5
                                                                                                    • Instruction Fuzzy Hash: 6CF0F63271CE4A0FABE8E62C60952B5F3D1EBE8236754017BD94DC3391DE28E9434390
                                                                                                    Function 00007FF7C0CC7C02 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6144347552f15f233e99a9bf6d6ac0f73edd5188291c8bbb8b5dc54933495ed0
                                                                                                    • Instruction ID: cc0dcba74cbab5a8664cd9b71fac89d1f2c1d7657e14f4fed790cc61f7aa75eb
                                                                                                    • Opcode Fuzzy Hash: 6144347552f15f233e99a9bf6d6ac0f73edd5188291c8bbb8b5dc54933495ed0
                                                                                                    • Instruction Fuzzy Hash: 11F0F035D4860E8BD730AE54E0002F9F7B4EF82320F40213AC10CE3250DB3EAAA5CB98
                                                                                                    Function 00007FF7C0CC35D8 Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a62ea9b21b02930f19a586146f70e5bfdc0cd54332bbf4aa074954b58e75aa65
                                                                                                    • Instruction ID: 1c6a45c5339147021e5f860b67990f1a699a1a69109fc691cacf731c3d545383
                                                                                                    • Opcode Fuzzy Hash: a62ea9b21b02930f19a586146f70e5bfdc0cd54332bbf4aa074954b58e75aa65
                                                                                                    • Instruction Fuzzy Hash: 7EF0CD36D4850D8BE720AE54F0002F9F7B4FF82324F40203AD11CE3240D73AA995CBA8
                                                                                                    Function 00007FF7C0EA19C7 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 237386f5c5165d03caaaf05c27ae418ceee50557dae8679b6a7f093709699a9d
                                                                                                    • Instruction ID: 3f039895fb695cbfb4ac3b010d6194ce485a34dc3dce35e736f204ef3ad6044a
                                                                                                    • Opcode Fuzzy Hash: 237386f5c5165d03caaaf05c27ae418ceee50557dae8679b6a7f093709699a9d
                                                                                                    • Instruction Fuzzy Hash: CE115271908A2D8FDBA4EF18C895BE8B7B2FB58311F5045E9904DE3251CA74AAC1CF40
                                                                                                    Function 00007FF7C0EA7439 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3ccdcefcee77e9aa578689951e7598d603883c7054488318a030f24207cf9d09
                                                                                                    • Instruction ID: c703e8f20b55faeacd6ede0a94091243d5e792360b495b7e8e385438c507508e
                                                                                                    • Opcode Fuzzy Hash: 3ccdcefcee77e9aa578689951e7598d603883c7054488318a030f24207cf9d09
                                                                                                    • Instruction Fuzzy Hash: 0001D431648E068BE315EE2DD4943A5B792EBC8320F54467EC49AC73D1DF39F5928380
                                                                                                    Function 00007FF7C0CC9E06 Relevance: .0, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6b50974c7e87fef0de284cd71c9813b057d28702b1a08a30eda354f403ac43b4
                                                                                                    • Instruction ID: 11e1d8d72436e8e0b96ed41f9121922c3a36d085241409e586b7004c824897b3
                                                                                                    • Opcode Fuzzy Hash: 6b50974c7e87fef0de284cd71c9813b057d28702b1a08a30eda354f403ac43b4
                                                                                                    • Instruction Fuzzy Hash: 3B01F911F0DD4A1FD7D6AB2D5854274A6C2EF88261BD811BBD10EC3393DE28EC414340
                                                                                                    Function 00007FF7C0EA8B65 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: db50dab4a07c84f4e1aeaa71adce2d11a32bd4bbdfeda2323b781da79a1f3699
                                                                                                    • Instruction ID: e28ff7268ef8f3817bfcfbf0bef2d2f2fd3dc3bb6dd9ccf4d464294053a939a9
                                                                                                    • Opcode Fuzzy Hash: db50dab4a07c84f4e1aeaa71adce2d11a32bd4bbdfeda2323b781da79a1f3699
                                                                                                    • Instruction Fuzzy Hash: 2D019E30A44A058FE765FB3894042E6BBE1FF48321F40097AD49EC3291DB39B49287A0
                                                                                                    Function 00007FF7C0CD2455 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 421bcb8d3bf4cb369d1f7d04d41e6b9344e9ed305c32808ad97fe7b43dde5fc9
                                                                                                    • Instruction ID: f5e46a3eab3c6c6219ba346d7505920ad8fe64478f2267e3385552d4b8fc87c2
                                                                                                    • Opcode Fuzzy Hash: 421bcb8d3bf4cb369d1f7d04d41e6b9344e9ed305c32808ad97fe7b43dde5fc9
                                                                                                    • Instruction Fuzzy Hash: A1F0E95070DF891FC356A37E18A42F4BBD1EFAD06535901BBC049C32A3DD585C5683D1
                                                                                                    Function 00007FF7C0EA75D1 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eec64e4dccc14b64c2b16ed4dcc59eae56ffc202abd39b2c0742adbad9591e3c
                                                                                                    • Instruction ID: 867896c85256d07c20359f87eaefecb1d2ea93d7a052af8fec226f61639c8567
                                                                                                    • Opcode Fuzzy Hash: eec64e4dccc14b64c2b16ed4dcc59eae56ffc202abd39b2c0742adbad9591e3c
                                                                                                    • Instruction Fuzzy Hash: C2012C31A19A05CFD764FB28D4406A6B7A1EF98314B90497ED04AC7696CB39F895C780
                                                                                                    Function 00007FF7C0CDAB00 Relevance: .0, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e74d31041370e6c7fd9b4d4dfb6c57e059fdaf2f1c1023c7d9031e978d9a386b
                                                                                                    • Instruction ID: eb3ab5dbe2f9ce70bebfc4ea10681651069dd433ec02c8f5a92aee0859f633b7
                                                                                                    • Opcode Fuzzy Hash: e74d31041370e6c7fd9b4d4dfb6c57e059fdaf2f1c1023c7d9031e978d9a386b
                                                                                                    • Instruction Fuzzy Hash: 5FF06D1191C9921BE66577A824167F8A7C19F19774FC851F6E14ECB3C3DE4C388242A5
                                                                                                    Function 00007FF7C0EA3E44 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 884506b8fedb00c538522b2633fd8cdc608f44d6423a5dd1eceb96d45c392711
                                                                                                    • Instruction ID: 150a71d51d4cde6f8130673077b0c5a1bb8fcfb1e833140cc29af6c8f4e8e2fc
                                                                                                    • Opcode Fuzzy Hash: 884506b8fedb00c538522b2633fd8cdc608f44d6423a5dd1eceb96d45c392711
                                                                                                    • Instruction Fuzzy Hash: 9E01F291E1CA874AE759BB3848952F1B790FF64350F44417AD04BC7283EF28F8588781
                                                                                                    Function 00007FF7C0CC49D0 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8aff61343cbb6c5f8bc6c9cd7d95533e39d9c32458cda5c61f3b109ad0694b19
                                                                                                    • Instruction ID: 48521ae99a412b8e90497259b8a795716ff393c951bdc2d08cd44219fa9d372e
                                                                                                    • Opcode Fuzzy Hash: 8aff61343cbb6c5f8bc6c9cd7d95533e39d9c32458cda5c61f3b109ad0694b19
                                                                                                    • Instruction Fuzzy Hash: 6F010830E5491E8BEBA4EE18D851AADB3A2EF44650F906576D10ED2296CE397C418B50
                                                                                                    Function 00007FF7C0CCF640 Relevance: .0, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ac1d2711943360a1db3a5ef35afdc906c62c61217a711daeaed858a2ecd46b28
                                                                                                    • Instruction ID: cd12ee273a55a5c6ab9963ddcd5ccb0402abc0a8ec4557635870811e18d35cd7
                                                                                                    • Opcode Fuzzy Hash: ac1d2711943360a1db3a5ef35afdc906c62c61217a711daeaed858a2ecd46b28
                                                                                                    • Instruction Fuzzy Hash: 0BF06224B24D4A8F9BA8EB2884906B6B3E2FFA43547545579C00AC3646EF34F8434381
                                                                                                    Function 00007FF7C0CD2175 Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c0566d04f8fea447ed310ac408293b3457588db2776fd6811a20f876ef1416ca
                                                                                                    • Instruction ID: e6fa81ecff578d1a5e6666b71cb016725fc2a84b809f66df826c29279768d9c1
                                                                                                    • Opcode Fuzzy Hash: c0566d04f8fea447ed310ac408293b3457588db2776fd6811a20f876ef1416ca
                                                                                                    • Instruction Fuzzy Hash: 24F02B2160DA480FC3A0EB1C58585F8B7D1EF9922174502E7D648C73A2DB09AC0043A0
                                                                                                    Function 00007FF7C0EA1B26 Relevance: .0, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4552fa64a06aee66d6de76f3d39f518f1e103755e9f2037d4a379a9754dd9a3f
                                                                                                    • Instruction ID: cfcf886bf2034c5a588566dbfd1e6e767552f6286780c8875068a4e41864dbc1
                                                                                                    • Opcode Fuzzy Hash: 4552fa64a06aee66d6de76f3d39f518f1e103755e9f2037d4a379a9754dd9a3f
                                                                                                    • Instruction Fuzzy Hash: EC014874A08529CFDB18EF59C4503EDF7B5FF49710F540179D009A3282CB786955CBA0
                                                                                                    Function 00007FF7C0EA1901 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: be4a573368686e83a0d4c5720891268d4e20f0a8ebb935aff24955a33b763cc2
                                                                                                    • Instruction ID: a4f1546c678f8187128ac5e22b6ce806b0c3f28a4ba59ada23fe1998ef831498
                                                                                                    • Opcode Fuzzy Hash: be4a573368686e83a0d4c5720891268d4e20f0a8ebb935aff24955a33b763cc2
                                                                                                    • Instruction Fuzzy Hash: B301AC74E4491E8FDBE4EF18D894BA9B7B1FB59350F5141E5800DE3652DA306D858F40
                                                                                                    Function 00007FF7C0CCB768 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a523d8da98dcdf14ae45915a52cc0727e071d8d0efa8d23eb02584e44ee9a180
                                                                                                    • Instruction ID: e713b4ca17976468b9f58307dafbfe8fcda716077058213ba872d65f62f8fb39
                                                                                                    • Opcode Fuzzy Hash: a523d8da98dcdf14ae45915a52cc0727e071d8d0efa8d23eb02584e44ee9a180
                                                                                                    • Instruction Fuzzy Hash: F3F0593161959D0FD7649A2CD4053F2BBC1EFC5335F4401BEE849D3390C92EA8038380
                                                                                                    Function 00007FF7C0CC48D7 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bf1f5604d4bbfd1d610dd64a9b3054f6d136185c47236a81c7c117e346c92721
                                                                                                    • Instruction ID: 61ddf64c453c39a9c6d05219d57cde9fbf9b67e5e367541794358a3b2df652e3
                                                                                                    • Opcode Fuzzy Hash: bf1f5604d4bbfd1d610dd64a9b3054f6d136185c47236a81c7c117e346c92721
                                                                                                    • Instruction Fuzzy Hash: 39018F70D18A598FDB98EF18C895BAAF3F2FF44740F1082A8D04EC3292CF34A9558B40
                                                                                                    Function 00007FF7C0CCFD92 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fec3a6005785aa84bba65cd50021967ea4c22de32c4394d4a30f68fac21140af
                                                                                                    • Instruction ID: 297cd8ad0ffa32db265e2c39f4fa9023a11e315ec415aaeb8677058b4a5b4bf7
                                                                                                    • Opcode Fuzzy Hash: fec3a6005785aa84bba65cd50021967ea4c22de32c4394d4a30f68fac21140af
                                                                                                    • Instruction Fuzzy Hash: D0F0F42050D6961FD31AAF28D4146E0BFE0EF46320B5801E6D448CB297EA18B89587A1
                                                                                                    Function 00007FF7C0CC4643 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aef70db5873a0ffd7c095a6b29108be3bca56e87aaa62187ad093c8dc0e9b085
                                                                                                    • Instruction ID: 5a4cb07633397cc6168bed47b8a34294f07f4c5e2d25e0dae5ef28eae4e847fe
                                                                                                    • Opcode Fuzzy Hash: aef70db5873a0ffd7c095a6b29108be3bca56e87aaa62187ad093c8dc0e9b085
                                                                                                    • Instruction Fuzzy Hash: B2013130E049098FE7A4DF28C4957A9B7B1FF46760F5446B9D00ED2396CE36AC86CB40
                                                                                                    Function 00007FF7C0CC9075 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b3bae15585863895b752cd7d3a72346e8f4bb9a68a210eab0fa0a820d6a3b5d3
                                                                                                    • Instruction ID: 936b53ed74c36f12ce01fa08de96fe3eff150d5761f2a5ba37b025adf204bc87
                                                                                                    • Opcode Fuzzy Hash: b3bae15585863895b752cd7d3a72346e8f4bb9a68a210eab0fa0a820d6a3b5d3
                                                                                                    • Instruction Fuzzy Hash: 66F02710A4EA961FC367532C24901E5BB91EFCA22038902EBD049C7397CE1C2C6683E1
                                                                                                    Function 00007FF7C0EA19B3 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 49d6c54c89cb79eab43b7936d643fa681b74deeb3c74a16f9126c6a350e237e4
                                                                                                    • Instruction ID: 54a05ad226ac312365d51caaf1b99be1ed606e070fa48d7ba62cdb2c386c12f7
                                                                                                    • Opcode Fuzzy Hash: 49d6c54c89cb79eab43b7936d643fa681b74deeb3c74a16f9126c6a350e237e4
                                                                                                    • Instruction Fuzzy Hash: 74019230A08A2D8FDBE4EF18C894BA8B7B2FB5C310F5041E9800DD3251CA34A991CF40
                                                                                                    Function 00007FF7C0CC3200 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b33a8ca9a2782b69f80ced45363e43de47283295541c41fb00b036cd1501043a
                                                                                                    • Instruction ID: d3b16ae72bcc0e79c0fbac86512246125c2de37ded6e6d354283060a925578ad
                                                                                                    • Opcode Fuzzy Hash: b33a8ca9a2782b69f80ced45363e43de47283295541c41fb00b036cd1501043a
                                                                                                    • Instruction Fuzzy Hash: 88F0A031C0864C8BDB64AE65E0007FDF7B8FF4A315F802039D51CE6281C77AA595CB64
                                                                                                    Function 00007FF7C0CD36A5 Relevance: .0, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d0fdef32612ebcfeb14339f8d66e301fbd2b48e92bfdaab29004552d2e5b16a5
                                                                                                    • Instruction ID: 5c821309b81da3fa68240d3a1933bb5dd1fd5bbdffd227acd192c3fb24df1c1e
                                                                                                    • Opcode Fuzzy Hash: d0fdef32612ebcfeb14339f8d66e301fbd2b48e92bfdaab29004552d2e5b16a5
                                                                                                    • Instruction Fuzzy Hash: 37F05971A1CB4A4FD359EB2CC5446D0BBE0FF48321B9502AAE408C7393EB28F89187C0
                                                                                                    Function 00007FF7C0EA8C88 Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3362cd0b76403b4a4042e28641cdd9d83b1baae189cadbbd9c3556bf56416016
                                                                                                    • Instruction ID: 69c4cbb8b1bf748e8016f38cbee88403e13fc888110585011ddf5ccaa0371256
                                                                                                    • Opcode Fuzzy Hash: 3362cd0b76403b4a4042e28641cdd9d83b1baae189cadbbd9c3556bf56416016
                                                                                                    • Instruction Fuzzy Hash: EF01A530A44B058BE324EF29C1456A6B7E1FF48328F50093DD59A82A95CB79F896CB91
                                                                                                    Function 00007FF7C0CC496B Relevance: .0, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 7f6100845cb301ff9770a04473dc18abb11225cbe8d099f3c738a85687e641ee
                                                                                                    • Instruction ID: 08ad901d93ead14161e406786a70f969124b2bcc47854ee1e47966edd696db60
                                                                                                    • Opcode Fuzzy Hash: 7f6100845cb301ff9770a04473dc18abb11225cbe8d099f3c738a85687e641ee
                                                                                                    • Instruction Fuzzy Hash: DDF03171D185694FDBA8EF28D845B9AB3B4FF54314F4043A9C00DD3145CF34A9468B84
                                                                                                    Function 00007FF7C0CD23A7 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d1bc2883ec5bb2fc49a60492fb6e63aef7dfbc23ccdcdaf5f12cd0cbe86d7ece
                                                                                                    • Instruction ID: 5da0e56b19ef754bebeae0ca2c5927bd69eb043aa370a954fa0ec57b1304c899
                                                                                                    • Opcode Fuzzy Hash: d1bc2883ec5bb2fc49a60492fb6e63aef7dfbc23ccdcdaf5f12cd0cbe86d7ece
                                                                                                    • Instruction Fuzzy Hash: 82F030207089098FD5F4EF0CE894AB8B3D5EF5832179015B6E64DC73A5CF19EC418790
                                                                                                    Function 00007FF7C0CD773B Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 85e59dbfff37577777f6d70123fba911e33d5f6113a85b757f1b2f6cacb8a73d
                                                                                                    • Instruction ID: 599b7c923cd93320166ea5e87f51843f6e5f95fdf0c8833d6b8e69cd9cee9155
                                                                                                    • Opcode Fuzzy Hash: 85e59dbfff37577777f6d70123fba911e33d5f6113a85b757f1b2f6cacb8a73d
                                                                                                    • Instruction Fuzzy Hash: 19F0547160CD458FD6B5DA0CE894AA9B3D2FFD4721F515B69D04DC7259C730EC468780
                                                                                                    Function 00007FF7C0CC7871 Relevance: .0, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d3710131224d69b16fdd0f8a5c68de07ddd14bbd30d9de8648fe2edbb116e29c
                                                                                                    • Instruction ID: 98afbaf70bb79c57f5fe44ccf9d116ec3a0fee6ab8f796923557aecd21e88f7e
                                                                                                    • Opcode Fuzzy Hash: d3710131224d69b16fdd0f8a5c68de07ddd14bbd30d9de8648fe2edbb116e29c
                                                                                                    • Instruction Fuzzy Hash: 4DF03030C4560D8FCB24AE55E4453FDF6B4FF4A325F902639D10CA2281D779A6D4CB94
                                                                                                    Function 00007FF7C0CD7A5C Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d65f6103eb09303021a1b01ef6f561ac0ed596384b33094d5b259835e27d9a39
                                                                                                    • Instruction ID: 5e0e5211128ebaac1ba92c190edd1157a33a394b4139395cc5bf304b97e29379
                                                                                                    • Opcode Fuzzy Hash: d65f6103eb09303021a1b01ef6f561ac0ed596384b33094d5b259835e27d9a39
                                                                                                    • Instruction Fuzzy Hash: 1FF05435A0C9498FD6B4E90DE894AA9B3D1FFD4710F951699C14DC3259C630ED468780
                                                                                                    Function 00007FF7C0CD809C Relevance: .0, Instructions: 35COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2c910592fa19c84995efebd1b75e6de61683a7211bea02920ea4c3fc0596ba5a
                                                                                                    • Instruction ID: d3d368d7a4ef1536c05170183bae35bf2461f800cf5d5080ca1356b75a6991db
                                                                                                    • Opcode Fuzzy Hash: 2c910592fa19c84995efebd1b75e6de61683a7211bea02920ea4c3fc0596ba5a
                                                                                                    • Instruction Fuzzy Hash: C1F03A20608E488FD6B4EA18D898BA9B3E1FF98311F950569C04DC72A1CB34BC458741
                                                                                                    Function 00007FF7C0EA4610 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2e1adb07c436c897ab90414759d50dd39070d6318537730eb2918fa3e648afba
                                                                                                    • Instruction ID: 8483420cd66d1d3a98614580f6f5f3e6fc8340a61f9bf82d6b18cedd20ba4add
                                                                                                    • Opcode Fuzzy Hash: 2e1adb07c436c897ab90414759d50dd39070d6318537730eb2918fa3e648afba
                                                                                                    • Instruction Fuzzy Hash: 48E04F12B49825167A5475791C8E1BD89C6CBDC6B27800236F418C2392DE8C6E9283F5
                                                                                                    Function 00007FF7C0EAD621 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 51f4193117afb28d1b8bb3116333f6e4821411d5849ecdfff35d01a3691ff430
                                                                                                    • Instruction ID: 385479839e562369335e324e9ecbe24ed5a5c98710134683f5e73ac0d8a005b5
                                                                                                    • Opcode Fuzzy Hash: 51f4193117afb28d1b8bb3116333f6e4821411d5849ecdfff35d01a3691ff430
                                                                                                    • Instruction Fuzzy Hash: 97E0203190C6444FD7057A28C86669577E0FFA9721FC502F3D448C7287DA1CE9874391
                                                                                                    Function 00007FF7C0CC72BD Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 735c314b65665534ea0ca219576d1c4a6bed759f505358d0cda72b7b6ede2121
                                                                                                    • Instruction ID: fc8417ad9c15540aba79eb51cdd226ddde8b24bb886c475fba1b371ca3b6354a
                                                                                                    • Opcode Fuzzy Hash: 735c314b65665534ea0ca219576d1c4a6bed759f505358d0cda72b7b6ede2121
                                                                                                    • Instruction Fuzzy Hash: 60F0893094865D4ED7B5AF64C4153EAB7E0EF45310F4019BBA40DE3392CF7569948781
                                                                                                    Function 00007FF7C0CCC4D8 Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 32c6e41c61eff02f5a71589e7f5039531ed887a25e3a447f24603dd1aacac63f
                                                                                                    • Instruction ID: 89caf9be9c6777f76bed020cd12f43af353f60f84e7e5f4974ef74d8799857ac
                                                                                                    • Opcode Fuzzy Hash: 32c6e41c61eff02f5a71589e7f5039531ed887a25e3a447f24603dd1aacac63f
                                                                                                    • Instruction Fuzzy Hash: 27F082645595858FD701ABE8D8516E9BBE4FF8A320F5004F9D19ACB283EA693817C702
                                                                                                    Function 00007FF7C0CD8D0D Relevance: .0, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 60ddd536ffff1d8f1d24c2ef0c4a91d0b4ae08be13cde57f2e23810e553b38f1
                                                                                                    • Instruction ID: 608cbed6e4bc290a4182fdaba1c94b1c4a02b3e03385e10e1bd2a366af20ff3b
                                                                                                    • Opcode Fuzzy Hash: 60ddd536ffff1d8f1d24c2ef0c4a91d0b4ae08be13cde57f2e23810e553b38f1
                                                                                                    • Instruction Fuzzy Hash: FFF0A721B0891A4FE6B1B71895557E977D1DF25210B4500E6D609C73D3FB08AC4543D5
                                                                                                    Function 00007FF7C0EA68A5 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: de3979d2dabc1d15bb6992a1795581ae8037997fcd47a4b5c846f5d343c777e7
                                                                                                    • Instruction ID: d09bca0cdc10b16e56b7cda2a7d8c91a6fc787c746be1652904d867158f51730
                                                                                                    • Opcode Fuzzy Hash: de3979d2dabc1d15bb6992a1795581ae8037997fcd47a4b5c846f5d343c777e7
                                                                                                    • Instruction Fuzzy Hash: D9E0613185DF850FD36DA63858550D07BD0EB4923134800BFD445C7293DF5D78818391
                                                                                                    Function 00007FF7C0CC8EF2 Relevance: .0, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c2b4d7753d7b2ee16aa7cd1a96cf73f21020756add60eeb0f11e281957acf9b4
                                                                                                    • Instruction ID: f7994d8eb29dcae0b77c1d7edebe0cb039b660d64fde935ab39386d108a6a7f8
                                                                                                    • Opcode Fuzzy Hash: c2b4d7753d7b2ee16aa7cd1a96cf73f21020756add60eeb0f11e281957acf9b4
                                                                                                    • Instruction Fuzzy Hash: 77E0CD06A0D6550BD32571397D921E4BB51DFC712078950F7D55CC73C7D8192C8A53D1
                                                                                                    Function 00007FF7C0EA3708 Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 38ce78e6f2c68dd9740fa8dfc1ba05988c6797b77288649be396ce0b2f1bf14f
                                                                                                    • Instruction ID: a87cb595bad6bb341b493422f50f75c5d3d5102e636361e46c42fd3fd74a35eb
                                                                                                    • Opcode Fuzzy Hash: 38ce78e6f2c68dd9740fa8dfc1ba05988c6797b77288649be396ce0b2f1bf14f
                                                                                                    • Instruction Fuzzy Hash: D0E01A34614A1C8FCB50EF18E804B95B7B4FB5A315F4101D5E44CD7110C331DA55CB41
                                                                                                    Function 00007FF7C0CC42BA Relevance: .0, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3856474d6b9be216660193fe9ffc56e9b85a08b1630a696d43ab9685f384ac5c
                                                                                                    • Instruction ID: f5b2af811e74390d99bb4c117cafbe18ddff9ef62d733488217a16e9592a4c83
                                                                                                    • Opcode Fuzzy Hash: 3856474d6b9be216660193fe9ffc56e9b85a08b1630a696d43ab9685f384ac5c
                                                                                                    • Instruction Fuzzy Hash: 44E02226E1C6928BE300773D68832D43750AF91231B8981B6E4C4CC0D3EA0C75AA42EE
                                                                                                    Function 00007FF7C0CCB1B0 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 775c1ca8b49c1cec239d939dee57d7012c11fd7df72f14fb1ef10de208b66b64
                                                                                                    • Instruction ID: 100aeeb2a93aa1823668e088bc5b0b97101f2952a93218fdd0404d1537dfa789
                                                                                                    • Opcode Fuzzy Hash: 775c1ca8b49c1cec239d939dee57d7012c11fd7df72f14fb1ef10de208b66b64
                                                                                                    • Instruction Fuzzy Hash: B0E04820708D1A0EF5B4BB5D95417FDA1C5DF28310B810075E61DC23D1EF08BC4547D5
                                                                                                    Function 00007FF7C0CC4A71 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 278bd57d45520228add73ccfb3d2b2879b5ff65cdae1991e065a13d6f0d4f6d6
                                                                                                    • Instruction ID: 89b71191175b96b9dd8f1fd9877165df2d32e5f75165a244dcbf284e3b394a70
                                                                                                    • Opcode Fuzzy Hash: 278bd57d45520228add73ccfb3d2b2879b5ff65cdae1991e065a13d6f0d4f6d6
                                                                                                    • Instruction Fuzzy Hash: 1FE03230E0885C8ADBA4EA58C840BFCF7B0EF89350F5089BAC00EF2251CE3568C58B00
                                                                                                    Function 00007FF7C0CC5842 Relevance: .0, Instructions: 27COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c70890413207831839882c2ab41ba9a4efac74828320dc9036e1103b2a22ed89
                                                                                                    • Instruction ID: 4b0cf38e56d70bf874fd3a05a89f0bacc3a8c8c7dcc97f512c043bd8cf731839
                                                                                                    • Opcode Fuzzy Hash: c70890413207831839882c2ab41ba9a4efac74828320dc9036e1103b2a22ed89
                                                                                                    • Instruction Fuzzy Hash: 21E01A71A4450E8BCB54EB58E4805EEF371EF84320F905676E10DD7246CB35A852C780
                                                                                                    Function 00007FF7C0CC42C0 Relevance: .0, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 20986a5f33b4efe845e3593aceb11bd1a3c6e5004ee374db3141dc0fc5e8aa05
                                                                                                    • Instruction ID: f8f0670a164df56498619d3d68b9c018708fbd104187f9361ff0249364582bcc
                                                                                                    • Opcode Fuzzy Hash: 20986a5f33b4efe845e3593aceb11bd1a3c6e5004ee374db3141dc0fc5e8aa05
                                                                                                    • Instruction Fuzzy Hash: 8EE0D825D182514BE600377D68432E433509F81374B88C1B6E4C8CC1D3EB0C34A942DE
                                                                                                    Function 00007FF7C0CC24D4 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 110697a84028bbddc790ee0fa77e52672bf01b18d6240c8594136de02e33e0f6
                                                                                                    • Instruction ID: d189134a0d92ef9c56882b43a5bfa3b386d942a769f807fe3792dee948460e5d
                                                                                                    • Opcode Fuzzy Hash: 110697a84028bbddc790ee0fa77e52672bf01b18d6240c8594136de02e33e0f6
                                                                                                    • Instruction Fuzzy Hash: 4FF0A0B4A4D1468FC356EFA4C4500B47BE0EF46320B0414AEC146C77E2C7BA6403DB01
                                                                                                    Function 00007FF7C0CC45F8 Relevance: .0, Instructions: 25COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0e85bc3e72ed1d36d5ca879f904f6e0f468d226b8c0ac9fd448ec120931a8997
                                                                                                    • Instruction ID: 05877260613139423f2a145b484745595edee59b2a2fe4c4ed7ac323ae573f05
                                                                                                    • Opcode Fuzzy Hash: 0e85bc3e72ed1d36d5ca879f904f6e0f468d226b8c0ac9fd448ec120931a8997
                                                                                                    • Instruction Fuzzy Hash: 4FE0ED70D0985A9FE758EB28CC59BE8B3A1FF11384F4041A4C14DCB283CE387C848B80
                                                                                                    Function 00007FF7C0CE3A40 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50b03994ddb9910c44b062007cf7d14783d5ab66cce147d02f3991dea393fdea
                                                                                                    • Instruction ID: d7a67cc0a0dd46ab8a5f0f6b78a24737ebf83fc92d002b38157471afec1d06bb
                                                                                                    • Opcode Fuzzy Hash: 50b03994ddb9910c44b062007cf7d14783d5ab66cce147d02f3991dea393fdea
                                                                                                    • Instruction Fuzzy Hash: 50E017306188198FDBB8EFACA098BE1B3D1FF48314B4500A69469D73A5DA25EC9297C1
                                                                                                    Function 00007FF7C0CCA2F8 Relevance: .0, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 0506c4f263eab72e6fdb8ad3d0c421e621c66a4df58f0ba045816698a7dc3756
                                                                                                    • Instruction ID: 6e4ab9e900cb1e85fc0bf4232357160a55fbda99253e9925aa8c2abbaa89541a
                                                                                                    • Opcode Fuzzy Hash: 0506c4f263eab72e6fdb8ad3d0c421e621c66a4df58f0ba045816698a7dc3756
                                                                                                    • Instruction Fuzzy Hash: 7BE0CD7190D50A5FD7A5BB3844C8399B751FFC42517754165D00DC3246EE307C508BC5
                                                                                                    Function 00007FF7C0CC516A Relevance: .0, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fe7677e66213964fe25d853f61b63bbbb15e5e349ccf618c8c0ab47c2bd1c667
                                                                                                    • Instruction ID: 7b8b57787fc21f454b4e02254cf429477d8d163cead22aa5f38bda1ce7852b78
                                                                                                    • Opcode Fuzzy Hash: fe7677e66213964fe25d853f61b63bbbb15e5e349ccf618c8c0ab47c2bd1c667
                                                                                                    • Instruction Fuzzy Hash: 5ED0173055558A4BE760EE28D8815F8B360EF43324FA02A69E65CC26D3CF25B8508A84
                                                                                                    Function 00007FF7C0EA3998 Relevance: .0, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ab5c8515ddebb3f6c854ba70c0acee5622d72b8770f49477c723e6d97534347d
                                                                                                    • Instruction ID: 853118ab0e3623a6ab02c1f3e706302cfdf4768d2b3d2caeb0d1e0d7e577b337
                                                                                                    • Opcode Fuzzy Hash: ab5c8515ddebb3f6c854ba70c0acee5622d72b8770f49477c723e6d97534347d
                                                                                                    • Instruction Fuzzy Hash: 7EC0223081890016822CB53848004313A99DB8E310300003DE04AC3380CD29780283D0
                                                                                                    Function 00007FF7C0EA397D Relevance: .0, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 4bdd48fc7332ce5d2c0b9f4f9648237afdc36c974775498ef7723fbeca06ccd1
                                                                                                    • Instruction ID: 9bb5b87fac50862ac0ff28c0eccc341cead74f35deb6d0454ed2c5a24ee7a9f4
                                                                                                    • Opcode Fuzzy Hash: 4bdd48fc7332ce5d2c0b9f4f9648237afdc36c974775498ef7723fbeca06ccd1
                                                                                                    • Instruction Fuzzy Hash: C2D0E934814765AFCB4CCF34C4D59D27731FF05319376156EC942C656AC735A115CE45
                                                                                                    Function 00007FF7C0CC738E Relevance: .0, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: da52313521ceeb1bc36475df25fb1aafa516fe513818647d97260b519e53fe71
                                                                                                    • Instruction ID: fc15bdb7debf43be8860b7e848c734d5c2df651e91a7ca9c4813e1d3cc02ed28
                                                                                                    • Opcode Fuzzy Hash: da52313521ceeb1bc36475df25fb1aafa516fe513818647d97260b519e53fe71
                                                                                                    • Instruction Fuzzy Hash: ABC09B6054559D5FC34797F9047C7957FD19F15110F1804DF44CDD72D1C92414874701
                                                                                                    Function 00007FF7C0CCAD1B Relevance: .0, Instructions: 2COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a8adf9eab4ef2f269b3e6200166f33f4afa2e076e7e055e0f2b22974bae340f7
                                                                                                    • Instruction ID: 68dc36051d1884ab46a6c1dbbeb4221fdfaca23fde553d2a76a7ea11bfced107
                                                                                                    • Opcode Fuzzy Hash: a8adf9eab4ef2f269b3e6200166f33f4afa2e076e7e055e0f2b22974bae340f7
                                                                                                    • Instruction Fuzzy Hash:

                                                                                                    Non-executed Functions

                                                                                                    Function 00007FF7C0CCA388 Relevance: .6, Instructions: 572COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3aac20b3158f4e3c87c5705d903d8c724eeefad0f597419a106c3b6366782d72
                                                                                                    • Instruction ID: d3eede323f9841fb058c7d66dd56c53dff38fd40cce3d34f42e378a6ccc31566
                                                                                                    • Opcode Fuzzy Hash: 3aac20b3158f4e3c87c5705d903d8c724eeefad0f597419a106c3b6366782d72
                                                                                                    • Instruction Fuzzy Hash: B2F11961B0CA4A4FE764BB7CA8562F8BBD1EF59360B0401BBD14DC7393DE18B8468395
                                                                                                    Function 00007FF7C0EA1D1D Relevance: .1, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1886270126.00007FF7C0EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0EA0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0ea0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 153507eb67ec3742cfac588bff581dc086ccbc9d0448d210abb17fa71b870ef1
                                                                                                    • Instruction ID: 35dc65c6c223e8de443a0da0efa53acb512d98fcb7d963ae02fcf964ef2703bf
                                                                                                    • Opcode Fuzzy Hash: 153507eb67ec3742cfac588bff581dc086ccbc9d0448d210abb17fa71b870ef1
                                                                                                    • Instruction Fuzzy Hash: 2F218C30E096588FDB24EF68C890AFDFBB1EF46320F5405ADD049A72D2CA786984CF50
                                                                                                    Function 00007FF7C0CC15EA Relevance: .0, Instructions: 44COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 8bc6370b9db455069bb701a014e4975cc77221415b90d3c3188afc4908184d9c
                                                                                                    • Instruction ID: 13eb8d1b0059485a0a83f728d42720faf408a02d7ada25a27dc7535b048e99b5
                                                                                                    • Opcode Fuzzy Hash: 8bc6370b9db455069bb701a014e4975cc77221415b90d3c3188afc4908184d9c
                                                                                                    • Instruction Fuzzy Hash: AB01713094D6898FDB61EFA484545ECBBF0EF4A320F6410EAD18DDB352C7386946CB40
                                                                                                    Function 00007FF7C0D1C11D Relevance: .0, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 00f76f5c80fd6e1e8069fb7ea36326ed91f63b017965a62ef3424498fa204c6a
                                                                                                    • Instruction ID: 2051090635b3186c9f30e161ee9217f61ccbcfd28855c62fa91ad6d4ca0b98d2
                                                                                                    • Opcode Fuzzy Hash: 00f76f5c80fd6e1e8069fb7ea36326ed91f63b017965a62ef3424498fa204c6a
                                                                                                    • Instruction Fuzzy Hash: B0E06D30C5060D8BDB10AE55E800AFAF3B0EB46224F401139D41CA3281C7356A55CBA5
                                                                                                    Function 00007FF7C0CC8AD3 Relevance: 7.6, Strings: 6, Instructions: 134COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: N_^,$N_^B$N_^D$N_^R$N_^T$N_^f
                                                                                                    • API String ID: 0-1467340338
                                                                                                    • Opcode ID: 6f20bf4c5a9872aa141a7ab94ae6cd065ddddfa9fdaae639eaac6cc6e1a4be00
                                                                                                    • Instruction ID: 7f7385a3d0639b5a6b2e18e1e8d3975b95b7fb1f38830869feb0f45318727b0c
                                                                                                    • Opcode Fuzzy Hash: 6f20bf4c5a9872aa141a7ab94ae6cd065ddddfa9fdaae639eaac6cc6e1a4be00
                                                                                                    • Instruction Fuzzy Hash: 6031DCA370842617D31176BD7C662E96B85DFA43B975481B7D34CCF283DE14308B86DA
                                                                                                    Function 00007FF7C0CC88FA Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000A.00000002.1865769307.00007FF7C0CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CC0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_10_2_7ff7c0cc0000_AteraAgent.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: N_^$N_^$N_^$N_^
                                                                                                    • API String ID: 0-3423731612
                                                                                                    • Opcode ID: 8a9519647bb026c2d3611db7c89e01632795b3ab63ea7889ffb19f5eb0f522df
                                                                                                    • Instruction ID: 257a1003abcf4987396a2c051b1d7ada259e533d0a445e5d88b0df0c5bdce8fd
                                                                                                    • Opcode Fuzzy Hash: 8a9519647bb026c2d3611db7c89e01632795b3ab63ea7889ffb19f5eb0f522df
                                                                                                    • Instruction Fuzzy Hash: A93119A6D0D1851FD312B76CACA22E57BD49F213ACB4C41F6D29CCE293EE18344543DA

                                                                                                    Executed Functions

                                                                                                    Function 00007FF7C0CE192D Relevance: 3.8, Strings: 2, Instructions: 1307COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: *"2Q$*"2Q
                                                                                                    • API String ID: 0-2209380242
                                                                                                    • Opcode ID: 31ab774d7b6cbc5a695c929707e2506e0b400d0759bfd659af92d2b356e642e4
                                                                                                    • Instruction ID: 82f54df5a074be94129698dd6fd98d9018826783bf67ba7c0a7c237fddbd57df
                                                                                                    • Opcode Fuzzy Hash: 31ab774d7b6cbc5a695c929707e2506e0b400d0759bfd659af92d2b356e642e4
                                                                                                    • Instruction Fuzzy Hash: 2692D130E089494FEB69EF2884507F8B7E2EF5A750F9401B9D14ECB383DE25B94587A1
                                                                                                    Function 00007FF7C0D002FD Relevance: 1.2, Instructions: 1243COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ddbc7483459895195e25ef545ffe1c94ea9047b7a231e17d18d9d6053c381477
                                                                                                    • Instruction ID: a8eaea784b955ce237421032aa74ac5b6efa0b4cd1a7da951f4eb93826131c5c
                                                                                                    • Opcode Fuzzy Hash: ddbc7483459895195e25ef545ffe1c94ea9047b7a231e17d18d9d6053c381477
                                                                                                    • Instruction Fuzzy Hash: 55826E30B18A499FEB94EB2CC498BB5B7D2FF98310F4445BAD04EC7396DE24B8458791
                                                                                                    Function 00007FF7C0CEE215 Relevance: 2.7, Strings: 2, Instructions: 231COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: @W_H$_
                                                                                                    • API String ID: 0-3547518555
                                                                                                    • Opcode ID: 4c6f45d74b4b526c88d3d98301d0e9eb386f6b41498c427772da400da6bd7ddb
                                                                                                    • Instruction ID: 98680a46aba78060e3c20edd5fdc88ca0ab03c15ec0e1f3d3314057685202796
                                                                                                    • Opcode Fuzzy Hash: 4c6f45d74b4b526c88d3d98301d0e9eb386f6b41498c427772da400da6bd7ddb
                                                                                                    • Instruction Fuzzy Hash: 8D819070E089598FEBA9EB28D8947ECB7B1FF58350F5001BAD50DD7292CF3469828B54
                                                                                                    Function 00007FF7C0CEFAD8 Relevance: 1.6, Strings: 1, Instructions: 365COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 5589db67cd942bf8703977f31907ac4c9a73713384f0f8a78ae28bd9958ad529
                                                                                                    • Instruction ID: c0c1c768a63eafb9c5cb4a6cb9fe7e388bc7deb48ae153b541e2197ac6089cdf
                                                                                                    • Opcode Fuzzy Hash: 5589db67cd942bf8703977f31907ac4c9a73713384f0f8a78ae28bd9958ad529
                                                                                                    • Instruction Fuzzy Hash: 93B1CD30618B098FD728EF18D8815B6B3E1FF99314B604A7DD59AC3696DB35F8438B81
                                                                                                    Function 00007FF7C0CEFA87 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: 8b7daac7bd63048adaefeeba8b071799098d1e348b0fc86694214a58d72fb1ec
                                                                                                    • Instruction ID: ffe15fad2458be1b518805efb62206a0499592db4817666656e4750191f09dde
                                                                                                    • Opcode Fuzzy Hash: 8b7daac7bd63048adaefeeba8b071799098d1e348b0fc86694214a58d72fb1ec
                                                                                                    • Instruction Fuzzy Hash: 7BA1EC30A18A198FD728EF18D8815B6B7E1FF98324B64467DD19AC3252DB31F8538BC1
                                                                                                    Function 00007FF7C0CFD1D9 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d
                                                                                                    • API String ID: 0-2564639436
                                                                                                    • Opcode ID: b10689f15ebfee05e7e39260d98b0735fd086db2957ac981012ef546bb4d7506
                                                                                                    • Instruction ID: f94f7c360d6f6860508f0bd17885218f67aabf530458e2536c15df44712011b2
                                                                                                    • Opcode Fuzzy Hash: b10689f15ebfee05e7e39260d98b0735fd086db2957ac981012ef546bb4d7506
                                                                                                    • Instruction Fuzzy Hash: 6C91ED70618B458FDB68EF08D495575B7E2FF98314B50467DD18AC3696CB31F8428BC2
                                                                                                    Function 00007FF7C0CEED14 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: 5W_H
                                                                                                    • API String ID: 0-3395708803
                                                                                                    • Opcode ID: 90f4dc320961e9873080801f63755b5033d6e0aea56576c9adf18b85214e71de
                                                                                                    • Instruction ID: e5d799af9a6547d2ea8b5f7666aa3004f6ee81903bbbf347fa214f1831bb79db
                                                                                                    • Opcode Fuzzy Hash: 90f4dc320961e9873080801f63755b5033d6e0aea56576c9adf18b85214e71de
                                                                                                    • Instruction Fuzzy Hash: FC510B70E14A198FE7A8EB1C98997E8B3E5FF58350F5002E5951ED3296CF346E818B40
                                                                                                    Function 00007FF7C0CE3B08 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: L_L
                                                                                                    • API String ID: 0-278280690
                                                                                                    • Opcode ID: e790af228321c60f26b9fec1418facc544d5144e9b016d86af4f0d1a0dcf5280
                                                                                                    • Instruction ID: 678744547d1b3dc7ab746c55b74e5d2b4055318d1d213612aa82c3783ed62847
                                                                                                    • Opcode Fuzzy Hash: e790af228321c60f26b9fec1418facc544d5144e9b016d86af4f0d1a0dcf5280
                                                                                                    • Instruction Fuzzy Hash: 5141F931E0CA4A4FE765FB2894586F9B7E1EF95360B5400BEE01DC7392DE25F8458790
                                                                                                    Function 00007FF7C0CFCCFB Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: wK_^
                                                                                                    • API String ID: 0-445847664
                                                                                                    • Opcode ID: 4071972445f9b5a69325710fe5ff30cc1d8c57ec2f874b6d8497907b5086d90c
                                                                                                    • Instruction ID: 4a9b4b56f06c4010fc9712f5e7162c8e5bd83406feda58eca1cbbaa7359a1742
                                                                                                    • Opcode Fuzzy Hash: 4071972445f9b5a69325710fe5ff30cc1d8c57ec2f874b6d8497907b5086d90c
                                                                                                    • Instruction Fuzzy Hash: 9421056270D9865FE724BB5DB8943E9F780FF942757444277C208C6257CB20B85683D0
                                                                                                    Function 00007FF7C0CE14F2 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: ;3M_^
                                                                                                    • API String ID: 0-2993039973
                                                                                                    • Opcode ID: e0c79a2de155ef30c5b7d0c06396247a0c3092a509ac42c863c8e588d2d913d4
                                                                                                    • Instruction ID: 639f9ae8b14ca756500e17b5dbd2cc998e68cdddd3df12e32da131f9e7a4badd
                                                                                                    • Opcode Fuzzy Hash: e0c79a2de155ef30c5b7d0c06396247a0c3092a509ac42c863c8e588d2d913d4
                                                                                                    • Instruction Fuzzy Hash: 6F21CB70A0C68D8FDB46DB28C8506DDBFB1FF4A341B010196D045DB292DA346914CB91
                                                                                                    Function 00007FF7C0CFB298 Relevance: .6, Instructions: 598COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b2ca0eb414ffe5b66af64f1aa028ebbd1b272fa04b297529cdaf95e5a8630871
                                                                                                    • Instruction ID: 5893cab223a4abf62f8ab8c9944b13dfb44e65d79689bcc24bf46d69e8b75728
                                                                                                    • Opcode Fuzzy Hash: b2ca0eb414ffe5b66af64f1aa028ebbd1b272fa04b297529cdaf95e5a8630871
                                                                                                    • Instruction Fuzzy Hash: 5C02F1B0A0CD4A8FE755EF2894647A8BBE1FF99350B5441AAD04DC7297DF20F842CB81
                                                                                                    Function 00007FF7C0CE9920 Relevance: .5, Instructions: 540COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c5562e70d368d34dc0d9db3ebead2ea19aab29dbe4506556362b4ef4cf883626
                                                                                                    • Instruction ID: 806fdb31b04c84cbf97bc53a0ba396057ef8b84376b49d489714c288a6562aaa
                                                                                                    • Opcode Fuzzy Hash: c5562e70d368d34dc0d9db3ebead2ea19aab29dbe4506556362b4ef4cf883626
                                                                                                    • Instruction Fuzzy Hash: 13025170A18A498FD768EF1884557AAB7E2FF98350F50467ED48DC3396DF34E8418B82
                                                                                                    Function 00007FF7C0CEE160 Relevance: .5, Instructions: 485COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 736982a0ad574657a7304b4a06935e1d36715f293920e513a40fc3bc82a9ad9a
                                                                                                    • Instruction ID: bd926b96ba47ad9d28e4bfade396c6e4be7b65a40ed2aa95e855351ea1ac7523
                                                                                                    • Opcode Fuzzy Hash: 736982a0ad574657a7304b4a06935e1d36715f293920e513a40fc3bc82a9ad9a
                                                                                                    • Instruction Fuzzy Hash: 58D1D230B0C9094FEB98EB2C9895AB877D1EF99360B5041B9D54EC3297DE24F84287D2
                                                                                                    Function 00007FF7C0CEFA50 Relevance: .4, Instructions: 429COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 91602e2619db4bd64d46395866e91df2df8dad83cbf8fda44dcb5526913c8fdf
                                                                                                    • Instruction ID: 710202211ada3eab6da1af0a9a78d2920b6be66604215c24bb56c510614d627b
                                                                                                    • Opcode Fuzzy Hash: 91602e2619db4bd64d46395866e91df2df8dad83cbf8fda44dcb5526913c8fdf
                                                                                                    • Instruction Fuzzy Hash: 8AE10A30A18A0D8FDF98EF18C495AA977E2FFA8354F550169E41ED7395CB31E842CB81
                                                                                                    Function 00007FF7C0CED139 Relevance: .4, Instructions: 422COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c59778a724cb7992eb3d40a68df870434f46bb55916b4433c5f03b60a2cca0e4
                                                                                                    • Instruction ID: d20c97cd6c75c69c50413419413aa086d09b63367d13e471f07a1f2abc2abced
                                                                                                    • Opcode Fuzzy Hash: c59778a724cb7992eb3d40a68df870434f46bb55916b4433c5f03b60a2cca0e4
                                                                                                    • Instruction Fuzzy Hash: 88C1133160CB498FDB58EF18D444AA5BBE1FFAA310F54426ED14DC32A2DA31F846C782
                                                                                                    Function 00007FF7C0CEA248 Relevance: .4, Instructions: 403COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 847c9a9fbec015e07bd0c3ebac7213189f33e9020299167d24cbf637bafe3943
                                                                                                    • Instruction ID: d5ca25578d2549fc43f6914f8ea3ae64b4bdf4f18e6267c7e22497c185aa8b12
                                                                                                    • Opcode Fuzzy Hash: 847c9a9fbec015e07bd0c3ebac7213189f33e9020299167d24cbf637bafe3943
                                                                                                    • Instruction Fuzzy Hash: 54C1D621A0CA4E4FE7A9EF2C94587B877D1EF56360F8541BAD50DCB293DE14BC458390
                                                                                                    Function 00007FF7C0CF2A55 Relevance: .4, Instructions: 378COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 619fe17d05fd1fea061640eb87f1a0772365947e9eb332b3c78382149f6075b2
                                                                                                    • Instruction ID: 68d47221fba24e7e34219f9dbe17dafbb0c2d96ceeaf4c065f4f6be79aa60ba2
                                                                                                    • Opcode Fuzzy Hash: 619fe17d05fd1fea061640eb87f1a0772365947e9eb332b3c78382149f6075b2
                                                                                                    • Instruction Fuzzy Hash: E6A16E31708D098FEBB4EF5C94A4BA4B3D2FF9832175405BAD50EC73A6DA25EC428791
                                                                                                    Function 00007FF7C0CEC968 Relevance: .4, Instructions: 371COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3ae8173d045e5c4b5bb74ffa5b7080901b316842ba51706d0d198e32a01d4723
                                                                                                    • Instruction ID: b72ead6d9ff338ad7dd5b1b5e809402243a146c171334fa3d92bc770c92b31bd
                                                                                                    • Opcode Fuzzy Hash: 3ae8173d045e5c4b5bb74ffa5b7080901b316842ba51706d0d198e32a01d4723
                                                                                                    • Instruction Fuzzy Hash: C8C12762A0C6964FD311B77CA8523E9BBE0EF55364F0882B6D08DCB293DF24745687C9
                                                                                                    Function 00007FF7C0CFAB41 Relevance: .4, Instructions: 362COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b7dbe3818435afdd457f1f88cc9a5d7cf85e9ff12d5f4e642757eed517aa7fa0
                                                                                                    • Instruction ID: d4aef3874e7821c14c271f519d4d226a23a7dbf7de8c7df63ae181371ac049fc
                                                                                                    • Opcode Fuzzy Hash: b7dbe3818435afdd457f1f88cc9a5d7cf85e9ff12d5f4e642757eed517aa7fa0
                                                                                                    • Instruction Fuzzy Hash: 17B1E171A08A594FDB95EF6CD8956E9B7E1FF58360B0442BAD049CB293CF34F8458780
                                                                                                    Function 00007FF7C0CFCB6F Relevance: .4, Instructions: 353COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c0061e310154736987955104f84e165954318fb069132e7c8e1099a78ae2da12
                                                                                                    • Instruction ID: da0aaf90b12313681f582d9764d5944897b6dabceb9d3f34dbdb3bb90cb36129
                                                                                                    • Opcode Fuzzy Hash: c0061e310154736987955104f84e165954318fb069132e7c8e1099a78ae2da12
                                                                                                    • Instruction Fuzzy Hash: 77910623B0856A5FE324BA6DB8952E9BB90EFD43B5F444277D24CCA243DB24744687E0
                                                                                                    Function 00007FF7C0CF71FB Relevance: .3, Instructions: 349COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d324e730cf3a6dc6aca33e52beedfb17a32d695789e7fe57c6da445ef3b919d0
                                                                                                    • Instruction ID: 9953bafa9f6f6252f1e1a9c09764bb5663e898376b0b18d8985320dd830feda3
                                                                                                    • Opcode Fuzzy Hash: d324e730cf3a6dc6aca33e52beedfb17a32d695789e7fe57c6da445ef3b919d0
                                                                                                    • Instruction Fuzzy Hash: 0541F07091CA869FD354EB28C8947A5FBE1FF98350F00466AD08AC3292DB34F9518B82
                                                                                                    Function 00007FF7C0CE8216 Relevance: .3, Instructions: 331COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 61f705835c03bd38ea0410ed60255761d7b3418cc10490f4d7a1a44ef783bfca
                                                                                                    • Instruction ID: f4ad23758384496cdd714c2e2d5ce1de2e3246e89cf0d631438b562963f1db0b
                                                                                                    • Opcode Fuzzy Hash: 61f705835c03bd38ea0410ed60255761d7b3418cc10490f4d7a1a44ef783bfca
                                                                                                    • Instruction Fuzzy Hash: 3EB1B630508A8D4FEB69EF28C8957E97BE1FF55350F44426EE84DC7292CB34A945CB82
                                                                                                    Function 00007FF7C0CEB24F Relevance: .3, Instructions: 317COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b864e96912c712b206a8457385ccd5423aa38310be59d76c2af4233881f0949b
                                                                                                    • Instruction ID: 99548e42f544d55bac504113e17375edd19da26e6c31c967b0f7712ca78f071a
                                                                                                    • Opcode Fuzzy Hash: b864e96912c712b206a8457385ccd5423aa38310be59d76c2af4233881f0949b
                                                                                                    • Instruction Fuzzy Hash: 2DB19EB0A18A0A8FD754EBA8D8517EDB7B1FF99360F404276D109D7393DF2478418B91
                                                                                                    Function 00007FF7C0CE99A8 Relevance: .3, Instructions: 294COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 25cd193f4d780e04ccd4bcda217c9f255b55bf8a030d00ef16133179635d49b7
                                                                                                    • Instruction ID: a43782078ff6233078b59e71ce46bb132b60e613bdd704990357566c6eee4e47
                                                                                                    • Opcode Fuzzy Hash: 25cd193f4d780e04ccd4bcda217c9f255b55bf8a030d00ef16133179635d49b7
                                                                                                    • Instruction Fuzzy Hash: D991BD71618A4A8FD364EB18C4947E5F7E1FF98350F40467AD04AC3682CF34B9968B92
                                                                                                    Function 00007FF7C0CFA971 Relevance: .2, Instructions: 235COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1e83987fcf81dd6ff765c2ef367730b9d54829ffa7061976454f1563953864f1
                                                                                                    • Instruction ID: 5987550751bb8a8ec24eb49cfcfd61727e714aebee3c37dc98aeb2962ff32610
                                                                                                    • Opcode Fuzzy Hash: 1e83987fcf81dd6ff765c2ef367730b9d54829ffa7061976454f1563953864f1
                                                                                                    • Instruction Fuzzy Hash: 03513961B0CD4A0FD7A9AB2C98646F5F7D1EF9536078942B6C10DC7286DE28FC4283D1
                                                                                                    Function 00007FF7C0CF19FA Relevance: .2, Instructions: 227COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a5152c812b076da4cf1f6aa7e1c8ba187b3fe07bd848a457ef5164cb5dbc45b0
                                                                                                    • Instruction ID: b357d2d3e203d1225529b1a2932f53bdcfc0470f4cf3bac71008de6c5c7ca7d0
                                                                                                    • Opcode Fuzzy Hash: a5152c812b076da4cf1f6aa7e1c8ba187b3fe07bd848a457ef5164cb5dbc45b0
                                                                                                    • Instruction Fuzzy Hash: 57711571A0CA8A8FC755EF3C94662EA7BD0EF54364B14417AD08DC72A3DE24B85287C5
                                                                                                    Function 00007FF7C0CEC4D0 Relevance: .2, Instructions: 227COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 22996d4da85b0972883dd76446cbeef8b843119107747c515cee7189f203ca4d
                                                                                                    • Instruction ID: 97619d8ff45658f21d7ca9f228794c16edde7a8b59338a532af93bbb56e49533
                                                                                                    • Opcode Fuzzy Hash: 22996d4da85b0972883dd76446cbeef8b843119107747c515cee7189f203ca4d
                                                                                                    • Instruction Fuzzy Hash: 1C511332B0CA194FE324AB2DE8851F8B7D0FF99372B84017BD259C7292DE20784796D1
                                                                                                    Function 00007FF7C0D011DC Relevance: .2, Instructions: 192COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1f45aa2c99a003052d7ce25050f9ecd46798d0d1b691a68191b01ce45447990d
                                                                                                    • Instruction ID: 43877d9f320dedc385c7c4885c3f9b8d365433f7a99dcde073730540114dffda
                                                                                                    • Opcode Fuzzy Hash: 1f45aa2c99a003052d7ce25050f9ecd46798d0d1b691a68191b01ce45447990d
                                                                                                    • Instruction Fuzzy Hash: DA513B70A18A4D8FDF84EF29C495AA97BE1FF6C314F440169E44EC7292CB30E851CB81
                                                                                                    Function 00007FF7C0CE9942 Relevance: .2, Instructions: 187COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f71836ff71f82e7ea93772944018c10a31d17c9c0e76ef61053f80901ec841d8
                                                                                                    • Instruction ID: 1f75dd48c7d359a00159aaa849ce619a9e5a433e45194ac0ba4d95e9cfa46387
                                                                                                    • Opcode Fuzzy Hash: f71836ff71f82e7ea93772944018c10a31d17c9c0e76ef61053f80901ec841d8
                                                                                                    • Instruction Fuzzy Hash: 4F51037161CE4A5FD320AB2898957E5F7E1FF88361F4042BAC04AC3282DB34B9458BD2
                                                                                                    Function 00007FF7C0CEAC08 Relevance: .2, Instructions: 187COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9222258be19085ba76cddc414fd036ee143ffa9a7899cb46f676ace0622b0355
                                                                                                    • Instruction ID: 4b276a381a17af5afd879121e3dd4cefb309524b7715f8c1622ee347ca4a7a27
                                                                                                    • Opcode Fuzzy Hash: 9222258be19085ba76cddc414fd036ee143ffa9a7899cb46f676ace0622b0355
                                                                                                    • Instruction Fuzzy Hash: B7411771B1CA4A4FA768AB1CA8451B573D1EFA6760B54013EE55EC3383DF25F8034281
                                                                                                    Function 00007FF7C0CF315D Relevance: .2, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 93bc9862af3cb96cbb41405dce404822a124462f1bab8d5af070900325c45c71
                                                                                                    • Instruction ID: 104bb64ac495fee327bd74cad4005efba9596f28a12c2614e5a1846c0e48e2a2
                                                                                                    • Opcode Fuzzy Hash: 93bc9862af3cb96cbb41405dce404822a124462f1bab8d5af070900325c45c71
                                                                                                    • Instruction Fuzzy Hash: 1341F53171DE0A1FEBA8AA1CA8516B5B7D1EF89330B4401BAD55EC3287DE25FC5283D1
                                                                                                    Function 00007FF7C0CECCDF Relevance: .2, Instructions: 175COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: a8fe9d1e2b3acc762c95ccde399c5cdbb50bb57774ae653e4c1995a69e820ab3
                                                                                                    • Instruction ID: a345dc33d8d57df5f969f39678a9ffda77b92587da717f8dbb946bc13c2ea39b
                                                                                                    • Opcode Fuzzy Hash: a8fe9d1e2b3acc762c95ccde399c5cdbb50bb57774ae653e4c1995a69e820ab3
                                                                                                    • Instruction Fuzzy Hash: 445108B0A18A1A8FDB54EBA8D8557ACFBA1FF58310F50426AD40DD3386CF3478518B81
                                                                                                    Function 00007FF7C0CF94F2 Relevance: .2, Instructions: 161COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1e6e36a0c8357bd945809e72835e4735bdcd288ff979bc1d4a8fbd3068a33d8b
                                                                                                    • Instruction ID: f190e630a6c17c83bb9db6d64f939f99568da9e229a701e9ef1a568370878547
                                                                                                    • Opcode Fuzzy Hash: 1e6e36a0c8357bd945809e72835e4735bdcd288ff979bc1d4a8fbd3068a33d8b
                                                                                                    • Instruction Fuzzy Hash: 1E51C370A0DA894FDB95EF2CC4606E9BBE1FF59324B14426AD04DC7297CA31E851CBC1
                                                                                                    Function 00007FF7C0CECA0D Relevance: .2, Instructions: 155COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 6593aa643427db08b7564f7900f74144ae04f46da39e471b0ae6dd558d70d707
                                                                                                    • Instruction ID: 45f27d1baf792cbe6d7b8bde06a06418c6ce2ade5f0d8332de7d31d9c8cf6d63
                                                                                                    • Opcode Fuzzy Hash: 6593aa643427db08b7564f7900f74144ae04f46da39e471b0ae6dd558d70d707
                                                                                                    • Instruction Fuzzy Hash: E0414753A0C6964BD311B33CE8523E5BB90EF41368F0885BAC0CCCA293EF24749687D9
                                                                                                    Function 00007FF7C0CF32BD Relevance: .2, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 24fa5bc96a253febab5b01b2017c5bac1bafd1e00c5b3bbe2c57616c6dfd104b
                                                                                                    • Instruction ID: 2e6201c7c730b6703b2d0a6c82d235ce196ef5c41ce71d025a0b04d04ef65216
                                                                                                    • Opcode Fuzzy Hash: 24fa5bc96a253febab5b01b2017c5bac1bafd1e00c5b3bbe2c57616c6dfd104b
                                                                                                    • Instruction Fuzzy Hash: 8E412A61B0DA491FE35AEA3C98552B47BD1EF56360B4500FEE049CB3E3DD15AC8A83A1
                                                                                                    Function 00007FF7C0CE99A5 Relevance: .2, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c4602f4eda9c3f962162d8d09b4d8111dd125d8307c11654cebc53c7291f8991
                                                                                                    • Instruction ID: 86ad4fb5c5a7701c3107895f1b7a123ffd2ca7281463d1841655e0f8fadfea7c
                                                                                                    • Opcode Fuzzy Hash: c4602f4eda9c3f962162d8d09b4d8111dd125d8307c11654cebc53c7291f8991
                                                                                                    • Instruction Fuzzy Hash: 9E41ED31618A4A9FC314EB18D8957EAF7E1FF98360F00427AD14AC3242DB34B9468B82
                                                                                                    Function 00007FF7C0CF9C05 Relevance: .1, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bc70c64a892734d2f34870ab03009e74074756bf1185aeded3e8c4f511da2d7a
                                                                                                    • Instruction ID: 31bbb45260cef677ab260391cb776ce88f972cff233e4ecbd3c9ca7736656d94
                                                                                                    • Opcode Fuzzy Hash: bc70c64a892734d2f34870ab03009e74074756bf1185aeded3e8c4f511da2d7a
                                                                                                    • Instruction Fuzzy Hash: 3031B520A0CB584FDB68AA1C98657B6B7D1EF95720F4401AFE589C3397CA19FC4183D3
                                                                                                    Function 00007FF7C0CE3BD4 Relevance: .1, Instructions: 112COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 1a3e5a6abffdd33eb9c801f05e8f281e6e5545339a3bb41d7000b8e235b91c4e
                                                                                                    • Instruction ID: 45bb0d9cc3d2e40a15d7042038e25021faf755c3ca513b33275551b43f0832ad
                                                                                                    • Opcode Fuzzy Hash: 1a3e5a6abffdd33eb9c801f05e8f281e6e5545339a3bb41d7000b8e235b91c4e
                                                                                                    • Instruction Fuzzy Hash: B1319430F0CD094FEB98AB2CA4157B8B2D2EF84361F644679E01DC3392DE29F8418790
                                                                                                    Function 00007FF7C0CE397D Relevance: .1, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e77133da7dc54b3e165798114adfae37f3f037970472e8188568162338831e23
                                                                                                    • Instruction ID: 36911b4b36f3c674b6cd26e4827d4b37f3af3272479ce01bbba65c4cd39a9985
                                                                                                    • Opcode Fuzzy Hash: e77133da7dc54b3e165798114adfae37f3f037970472e8188568162338831e23
                                                                                                    • Instruction Fuzzy Hash: 69218B71D4CA894FE756AB2848112F97BA1EF4631179501BAD02CCB392DF19B94583E1
                                                                                                    Function 00007FF7C0D01A25 Relevance: .1, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 55d446ad7968b8764e7f4d18b2dabfdb7ff6db5df41261377c1b86004a1c3f7d
                                                                                                    • Instruction ID: 435db454a838cd4791f1bd95e11753971e73420b88f8bbac964ae05a4c4b5293
                                                                                                    • Opcode Fuzzy Hash: 55d446ad7968b8764e7f4d18b2dabfdb7ff6db5df41261377c1b86004a1c3f7d
                                                                                                    • Instruction Fuzzy Hash: F7212230A0D94A8FC765EB2884546B5B7E1FF55325B8441BAD04EC7293CF18BC4687E1
                                                                                                    Function 00007FF7C0D019F9 Relevance: .1, Instructions: 92COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d0b2155192a45a2373cb81b19d1c65d8f2f5b7ecb52d30ca665b822e8af39651
                                                                                                    • Instruction ID: 4fc62265cc5cca4f9d6caf733a3b2d53c29f98109126b4d06f333e4679b871b4
                                                                                                    • Opcode Fuzzy Hash: d0b2155192a45a2373cb81b19d1c65d8f2f5b7ecb52d30ca665b822e8af39651
                                                                                                    • Instruction Fuzzy Hash: AE21E530B0990A4FC694FB6C94956B9B7D1FF45325B8441BAD04EC7392CF18BC4187D1
                                                                                                    Function 00007FF7C0CFA1CD Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e2f66c0f927daf7212218ea9ef3e531a0fbb5eca442fdc75f1b45f6528d38b81
                                                                                                    • Instruction ID: e077be07b0d8cb6ed58ed4fb415e3f43badd6e426b5f1428c47cdb8b4d147891
                                                                                                    • Opcode Fuzzy Hash: e2f66c0f927daf7212218ea9ef3e531a0fbb5eca442fdc75f1b45f6528d38b81
                                                                                                    • Instruction Fuzzy Hash: C301DB31A18A154FE791EB28D4587F5B7D0EF45310F0805F7E84CCB2A2DA59DC8183D2
                                                                                                    Function 00007FF7C0D01A40 Relevance: .1, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 2229b0b9550467c1e7f8ea65bc3e996bc81b04c4ad07b827eeb031ef8cc808c7
                                                                                                    • Instruction ID: f9eb638426e672fb32cbee6118f800237c401291024c1ade2a101eeabb579f5a
                                                                                                    • Opcode Fuzzy Hash: 2229b0b9550467c1e7f8ea65bc3e996bc81b04c4ad07b827eeb031ef8cc808c7
                                                                                                    • Instruction Fuzzy Hash: 88117330B058194FD6A4FF1C8458ABAB2D2FF98725B900579D04EC3392CF18BC4187D1
                                                                                                    Function 00007FF7C0CE334A Relevance: .1, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b76adbaae3008415df1c2f3e506be5a637a489b276458a9e6f8431dc223dbd0d
                                                                                                    • Instruction ID: 63ff032e6e78508b20660400ef11828ecf7667ba091bf9604c138d68da12b7fd
                                                                                                    • Opcode Fuzzy Hash: b76adbaae3008415df1c2f3e506be5a637a489b276458a9e6f8431dc223dbd0d
                                                                                                    • Instruction Fuzzy Hash: FB11E53190DBC94FDB939B7898156EA7FF1EF87220B0902EBD588C7193D5185806C792
                                                                                                    Function 00007FF7C0CFA990 Relevance: .1, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b63cea5b2d90b0e6ad6387ec9d3d8e020bcbcfc644fcb47a9025cd27ce59bd78
                                                                                                    • Instruction ID: b56fad3f76df58e9f9fe44f71d882f9b7f58c98e153e94de51d689d47565a4b2
                                                                                                    • Opcode Fuzzy Hash: b63cea5b2d90b0e6ad6387ec9d3d8e020bcbcfc644fcb47a9025cd27ce59bd78
                                                                                                    • Instruction Fuzzy Hash: 9601FE6061DD490F9B56D72D98946A5B7D2EF9931039942BEC04DC72D5CE20E84683C1
                                                                                                    Function 00007FF7C0CE34FD Relevance: .0, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bdf0ced5fbf7c4f1e4f44e59b2efb2694d90faee4b6ebd7c9169f4c3bb97b09a
                                                                                                    • Instruction ID: f5b6ca835b99a90271fc554aabfb8cdbfd9c47ad3d35d7987f33727bc985b4f1
                                                                                                    • Opcode Fuzzy Hash: bdf0ced5fbf7c4f1e4f44e59b2efb2694d90faee4b6ebd7c9169f4c3bb97b09a
                                                                                                    • Instruction Fuzzy Hash: 4001F72160E7850FD35A6738A8242943FA1DF46221B8A01EBD404CA2E3EA0DAC858391
                                                                                                    Function 00007FF7C0CE99F3 Relevance: .0, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5e47b8a4c606c7464a5e6a027c1a8af9fc856c2bd5b269ed34d7392935620e4c
                                                                                                    • Instruction ID: 638600fd3dc158f87b61ac45218f7a113dc1ceb55b4124253b67f74847a79d41
                                                                                                    • Opcode Fuzzy Hash: 5e47b8a4c606c7464a5e6a027c1a8af9fc856c2bd5b269ed34d7392935620e4c
                                                                                                    • Instruction Fuzzy Hash: 98012676A0898C5FE751AB6C8C692E9BFA0FF85221F4400B7E948D7292DA312A458791
                                                                                                    Function 00007FF7C0D02961 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: aa4a47864f08014150afc6435d5af765f7731c6f4fe422fc128730f3bb49f2b2
                                                                                                    • Instruction ID: 2b86159a2048b4e241e7b48a37a015ff0b3262ddca242fc9ccd8205213f36adf
                                                                                                    • Opcode Fuzzy Hash: aa4a47864f08014150afc6435d5af765f7731c6f4fe422fc128730f3bb49f2b2
                                                                                                    • Instruction Fuzzy Hash: 0901DF3050EA844FD386DB28D868264BFE0EF56325F4901EEC44DC76A3DA2AA844C701
                                                                                                    Function 00007FF7C0CF0252 Relevance: .0, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b7da06732e65241ac2d0d689f2fbe405ad043a7a9cc4852916cc439314fe6233
                                                                                                    • Instruction ID: 44ebac59aca22503d6746d1d9bad7e1620a236ecfd63665d8b4e5d8fdc350e99
                                                                                                    • Opcode Fuzzy Hash: b7da06732e65241ac2d0d689f2fbe405ad043a7a9cc4852916cc439314fe6233
                                                                                                    • Instruction Fuzzy Hash: 52F0C83151D68A0FD3266B3898196A1BBE4EF56320B5901E7D448CB297DE18E98583E1
                                                                                                    Function 00007FF7C0D029C9 Relevance: .0, Instructions: 39COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 60c052fef5f4400127130d694a24ae00533fcc45e422029d9611a33529fa3c80
                                                                                                    • Instruction ID: 5ba0a9f91b49f751743b61bcc3455026515ee897dccbc929f79321342730f0da
                                                                                                    • Opcode Fuzzy Hash: 60c052fef5f4400127130d694a24ae00533fcc45e422029d9611a33529fa3c80
                                                                                                    • Instruction Fuzzy Hash: 6901A43050E7C48FD3679B348829261BFA0EF13315B1A08FFC086CB5B3DA29A844C712
                                                                                                    Function 00007FF7C0CF6A20 Relevance: .0, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000D.00000002.1427628812.00007FF7C0CE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF7C0CE0000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_13_2_7ff7c0ce0000_AgentPackageAgentInformation.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 3b9ebbb67a150631922a5dea1e1a5a34ccc76f32b4e8fd7f697cb4312b2993ef
                                                                                                    • Instruction ID: a8160815e915b112f95d34007edda70bc1088fc4d7c23b3aae58e65ffe9983bb
                                                                                                    • Opcode Fuzzy Hash: 3b9ebbb67a150631922a5dea1e1a5a34ccc76f32b4e8fd7f697cb4312b2993ef
                                                                                                    • Instruction Fuzzy Hash: 94E01260D569494FDA46BA2D89516843791AF5B250BC90091E848DF352F14F998D8363